In May 2012, mobile security platform Lookout reported the occurrence of NotCompatible, a malicious program broadcast by pirate websites. Once installed, NotCompatible made a ​​proxy server, turning Android devices into zombies able to send and receive network data. For the first time, hacked websites have provided a platform to target and infect specific mobile devices.

NotCompatible has changed in terms of its technical capabilities and design since it was first detected in May 2012. The delivery method that is different now: the program runs mainly via spam messages sent by hacked email accounts.

Fast forward to 2014, mobile hackers have turned a once single-use piece of malware into one of the longest running known mobile botnets. Now called NotCompatible.C (the emergence of the new “C” variant of NotCompatible) by Lookout, the program is a new potential threat to Android users.

The emergence of NotCompatible

The first NotCompatible infection campaigns specifically targeted users of Android devices, identifying the presence of a header containing the word ‘Android’ in the browser: it then commanded the download of malicious program.

The NotCompatable hackers produce code disguised as legitimate applications, and attract users to download the app. If a corporate user’s Android device is infected with the NotCompatible Trojan and the device is using corporate or government network via Wi-Fi or VPN then the attacker can penetrate that network.

Clicking on a link in spam on Windows, iOS and OSX, the user is redirected to an allegedly published article. Clicking on the link from an Android device, however, the browser redirects to a security site for Android for an update. Depending on the version of Android and the browser, the user may be prompted to download or upload unwittingly in many cases. The program will then slide into the downloads folder. In the case of Chrome, the user will be presented with a download prompt.

Although Android phones suffer no direct damage, the malware can access user’s data. The Trojan spreads through infected websites with hidden frames, which are called with the smartphone.

NotCompatible.C – real threat to protected corporate networks

In NotCompatible.C, the malicious program can transform to a device via a Web proxy without the knowledge of the user, to access protected networks. The spread of malware would be done via drive-by-download hacked websites. What is interesting is that NotCompatible.C is now more sophisticated and the command infrastructure and communication perseveres and selfprotects through redundancy and encryption, making it intangible and enduring.

The report reveals that “NotCompatible.C contains proxy functionality that allows attackers to infiltrate secure enterprise networks via compromised devices. NotCompatible.C’s use of encryption and peer-to-peer communication mirror advanced PC threats such as later Conficker. Much like later variants of Conficker, these features of NotCompatible.C would make it more difficult to detect and stop at the network level due to the obfuscation of its communications and the interchangeability of its endpoints.”

NotCompatible.C uses a peer-to-peer protocol and has multiple, geographically-distributed Command and Control (C2) servers and, because of this, it is resilient to network-based blocking. The C2 servers keep the malware afloat even if individual servers have been taken out. The C2-based architecture also makes it resilient to IP and DNS based blocking, and network based detection.

Once installed, the program does not cause any direct damage to the device, but is used to access proxies, and therefore can access potential business networks with sensitive data. Lookout says NotCompatible.C has revolved largely around sending spam and bypassing e-commerce anti-fraud mechanisms as the attackers can use geographically distributed network of devices to transmit large volume of spam transactions. The malware is already penetrated to more than one percent of all mobile devices in the US alone.

Mobile devices are just as exposed to browser-based attacks triggered when a user steers to a malicious Website as computers. NotCompatible.C is a real threat to the adoption of BYOD in enterprises. But, there are choices available for Android users when it comes to security products to protect them from these kinds of threats.

“NotCompatible.C stands as an unacceptable backdoor to have on any device connected to an enterprise’s internal network. Lookout urges enterprises to implement detection to identify infected devices and enforcement to prevent such devices from connecting to Wi-Fi and VPN,” says the company.

The report concludes in that the key to not being overwhelmed by this malware is that all devices need to be secured by implementing the proper policies and procedures. An ounce of prevention is worth a pound of the cure in the mobile sphere, so vetting applications, securing devices, and separating them from outside influence is extremely important.

Image credit: CC0 Public Domain, http://pixabay.com/en/malware-virus-hacker-trojan-297722/