New drive-by malware that attacks Android users visiting compromised websites has been discovered by Reddit users georgiabiker.
Sites distributing the malware have themselves been compromised and injected with malicious code called Troj/Iframe-HX. The malicious code examines the User Agent string sent by the browser to see if it contains the string “Android” and if it does a malicious Android package called Update.apk is sent to the browser.
Hacked websites are commonly used to infect PCs with malware, but this is the first example of Android users being targeted by this technique.
The good news about this malware is that is it only downloaded automatically, and relies on the user to do the job of installing it. For this to work the “Unknown sources” setting enabled (a feature commonly referred to as “sideloading”).
According to analysis carried out by Lookout Mobile Security, the malware is designed to act as a proxy. Its purpose is thought to be to steal data from devices connected to corporate networks and VPNs as the malware only requests network permissions. This could allow the malware to compromise system maintained by enterprise and government agencies.
Unlike most examples of Android malware, this piece of malware doesn’t seem to collect contact details, SMSs, email and other personal details.
The best way to protect yourself from Android malware is to not install unknown packages on your device that have been downloaded from unknown websites.