Android Malware Spreading for First Time via Hacked Sites

Lookout Mobile Security is seeing the first Trojan that's coming over as a drive-by download, which hopefully won't spread far, given the compromised sites' relatively low traffic.

Drive-by malware downloads are nothing new€”unless, that is, they're targeting the Android operating system, which is exactly what a newly discovered Trojan is doing.

Lookout Mobile Security on Wednesday reported that for the first time, a hacked site is distributing malware for Google's mobile operating system.

Lookout says that the new Trojan, dubbed "NotCompatible," poses as a system update, but in reality appears to serve as a simple TCP relay/proxy.

Currently, NotCompatible isn't directly harming the victimized devices, but Lookout writes that it could potentially be used to gain access to private networks by turning infected Android devices into proxies.

Fortunately, the infection rate, at least at this preliminary stage, is low. The malware is on a number of compromised sites, all of which have a hidden iframe at the bottom of their pages.

Those sites show "relatively low traffic," Lookout says. The security firm is surmising that the total impact to Android users will thus be slight.

If a user visits a compromised page, his or her mobile browser will automatically begin to download the NotCompatible application, which will come over as "Update.apk." The download has to be successful in order for the device to be infected.

If the malware successfully downloads, the infected device prompts the user to click on the notification to install the downloaded app. Lookout notes that the device will install the app only if the "Unknown sources" setting is enabled€”otherwise, the download is blocked. To check the setting on your Android device to block the download, go to Settings >> Applications >>Unknown sources.

Drive-by Android malware may be a first, but it's hardly surprising. If mobile malware were a popularity contest, Android would be prom queen, judging by recent headlines.

For example Juniper Networks reported in February that malware targeting Android grew by an eye-popping 3,325 percent in the last seven months of 2011. Out of all the unique malware samples targeting mobile platforms, nearly half€”about 46.7 percent€”were Android malware. McAfee, for its part, also predicted in November 2011 there would be 75 million unique malware samples by the end of 2011.

Those numbers are huge, but they should be taken with a grain of salt. As ExtremeTech's Ryan Whitwam noted at the time those numbers were released, the counts include all malware signatures detected across the entire Internet, not just those in Android Market. They also count variations of existing threats as entirely new signatures, thus inflating the counts.

Inflated malware signature numbers exaggerate the dangers. But nobody can argue that Android's popularity is growing, and that makes it an ever more attractive target. In the past few weeks alone, we've seen the fake Instagram app, the fake "Angry Birds Space" game, the fake token generator and the Trojan disguised as "The Roar of the Pharoah" game.

As eWEEK reported in November 2011, security researchers blame this Android malware growth on the ease of posting applications to Google Play (nee Android Market). All malware developers need, Juniper researchers have noted, is a developer account and $25, and they're good to go.

Drive-by downloads are a whole new kettle of fish, given that they're off of Google Play and thereby beyond the reach of Google's policing.

The takeaway: Be careful with those mobile device settings. They're there to protect us, and beyond our devices' security settings, there be dragons.