For the first time, malware is exploiting hacked Web sites as part of a scheme to target mobile devices, researchers say. The new piece of malware—called a Trojan, because it is disguised as piece of safe software—is known as NotCompatible and is directed at Android smartphones and tablets. There is a risk that corporate networks will be compromised, but it appears for now to be low, said the security researcher who revealed the bug.
The attacker has placed the malware on dozens of low-traffic websites as a proxy pretending to be the device’s owner, and attempts to use the device to make unauthorized transactions, such as ordering tickets from Ticketmaster or downloading applications from Apple’s App Store, said Lookout Mobile Security CTO Kevin Mahaffey.
Mahaffey, who studied Internet browsing data from Android gadgets to draw his conclusions, also said an attacker could latch on to a business or government network if an employee whose Android device has been infected with NotCompatible accessed their corporate information via Wi-Fi. Mahaffey said he has found no evidence yet that corporate networks have been compromised. But CIOs need to be aware of NotCompatible because many of them allow Android devices in the workplace.
Mahaffey, who studied Internet browsing data from Android gadgets to draw his conclusions, said an attacker could latch on to a business or government network if an employee whose Android device has been infected with NotCompatible accessed their corporate information via Wi-Fi. Mahaffey said he has found no evidence that corporate networks have been compromised. But CIOs need to be aware of NotCompatible because many of them allow Android devices in the workplace. Good Technology, a corporate email platform, said Android accounted for nearly 30% of devices activated on its network in the first quarter this year.
Some IT leaders, such as Terex CIO Greg Fell, don’t allow Android devices at work because they mistrust the open source software that enables employees to download Android software from several application stores. He supports iPhones and iPads because employees can only download software from Apple. “The fact that [Android] is an open system as opposed to a closed system like the Apple Store means there are no controls on what gets installed, and this increases the risk of picking up some malware that could compromise the device,” Fell said.
Android users and their network managers have little to fear at this stage, said Mahaffey. NotCompatible is an automated script, which suggests the attacker is just trolling to find vulnerabilities rather than targeting specific Android device users. “So far we have not seen any clear pattern as to what constitutes a site that was compromised … It seems to be scattershot,” Mahaffey said.
Also, NotCompatible can only harm people who have enabled their devices to download software from unofficial sources. The mechanics of the infection are simple. When users of Android devices navigate to an infected website with their device’s browser, the “Update.apk” malware package automatically downloads to the device. The Android software alerts the user to the download, and the malware can begin its mischief once a user clicks the install prompt for the application.
This approach to malware is a common threat to personal computers, said Eric Maiwald, a mobile security analyst with Gartner. However, Maiwald and Mahaffey both said this appears to be the first time hacked websites are being used to target mobile devices. That in itself if noteworthy, Mahaffey said.