Android Malware Spreading for First Time via Hacked Sites

By Lisa Vaas  |  Posted 2012-05-03 Print this article Print

Lookout Mobile Security is seeing the first Trojan that's coming over as a drive-by download, which hopefully won't spread far, given the compromised sites' relatively low traffic.

Drive-by malware downloads are nothing new€”unless, that is, they're targeting the Android operating system, which is exactly what a newly discovered Trojan is doing.

Lookout Mobile Security on Wednesday reported that for the first time, a hacked site is distributing malware for Google's mobile operating system.

Lookout says that the new Trojan, dubbed "NotCompatible," poses as a system update, but in reality appears to serve as a simple TCP relay/proxy.

Currently, NotCompatible isn't directly harming the victimized devices, but Lookout writes that it could potentially be used to gain access to private networks by turning infected Android devices into proxies.

Fortunately, the infection rate, at least at this preliminary stage, is low. The malware is on a number of compromised sites, all of which have a hidden iframe at the bottom of their pages.

Those sites show "relatively low traffic," Lookout says. The security firm is surmising that the total impact to Android users will thus be slight.

If a user visits a compromised page, his or her mobile browser will automatically begin to download the NotCompatible application, which will come over as "Update.apk." The download has to be successful in order for the device to be infected.

If the malware successfully downloads, the infected device prompts the user to click on the notification to install the downloaded app. Lookout notes that the device will install the app only if the "Unknown sources" setting is enabled€”otherwise, the download is blocked. To check the setting on your Android device to block the download, go to Settings >> Applications >>Unknown sources.

Drive-by Android malware may be a first, but it's hardly surprising. If mobile malware were a popularity contest, Android would be prom queen, judging by recent headlines.

For example Juniper Networks reported in February that malware targeting Android grew by an eye-popping 3,325 percent in the last seven months of 2011. Out of all the unique malware samples targeting mobile platforms, nearly half€”about 46.7 percent€”were Android malware. McAfee, for its part, also predicted in November 2011 there would be 75 million unique malware samples by the end of 2011.

Those numbers are huge, but they should be taken with a grain of salt. As ExtremeTech's Ryan Whitwam noted at the time those numbers were released, the counts include all malware signatures detected across the entire Internet, not just those in Android Market. They also count variations of existing threats as entirely new signatures, thus inflating the counts.

Inflated malware signature numbers exaggerate the dangers. But nobody can argue that Android's popularity is growing, and that makes it an ever more attractive target. In the past few weeks alone, we've seen the fake Instagram app, the fake "Angry Birds Space" game, the fake token generator and the Trojan disguised as "The Roar of the Pharoah" game.

As eWEEK reported in November 2011, security researchers blame this Android malware growth on the ease of posting applications to Google Play (nee Android Market). All malware developers need, Juniper researchers have noted, is a developer account and $25, and they're good to go.

Drive-by downloads are a whole new kettle of fish, given that they're off of Google Play and thereby beyond the reach of Google's policing.

The takeaway: Be careful with those mobile device settings. They're there to protect us, and beyond our devices' security settings, there be dragons.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel