It’s not uncommon for websites to be compromised by cybercriminals who set them up to serve malware drive-by downloads to unsuspecting visitors. However, experts have found that now not only PC users are targeted, but also those who surf the web from their Android devices.
Researchers from the mobile security firm Lookout have determined that the phony app, identified as NotCompatible, is presented as com.Security.Update, being served by sites such as gaoanalitics.info and androidonlinefix.info.
Once the application is downloaded, a notification is displayed, prompting the user to install it. However, the malicious app can only be installed on devices that have the “Unknown sources” setting enabled.
Initial analysis have revealed that the Trojan’s masters use a clever technique to ensure that the malware only ends up on Android phones and not on PCs.
When a PC user loads the gaoanalitics.info site, he is presented with an error, but when the “Android” word is found in the user-agent header, a redirect to androidonlinefix.info occurs, which causes the browser to download the fake security update.
For now, NotCompatible doesn’t seem to be programmed to cause any damage to the devices it infects. Instead, it’s a TCP relay that could be utilized by the cybercriminals to gain access to private networks by turning the compromised Android phone into a proxy.
Fortunately, the sites that serve the Trojan record a low traffic, which means that a small number of users may be impacted. On the other hand, although it doesn’t embed any complex mechanisms to hide its true purpose, the malware represents a threat if it manages to perform its simple task of accessing private networks.
If it gains access to a government or enterprise infrastructure, it could allow those who control it to cause some serious damage.