Analysts with Lookout Mobile Security have found websites that have been hacked to deliver malicious software to devices running Android, an apparent new attack vector crafted for the mobile operating system.
The style of attack is known as a drive-by download and is common on the desktop: When someone visits a hacked website, malware can transparently infect the computer if it doesn’t have up-to-date patches.
Lookout said it noticed that “numerous” websites had been compromised to execute the attack, although those sites had low traffic. The company expects the impact to Android users will be low. The malware that tries to install itself, dubbed “NotCompatible,” appears to be a TCP relay or a proxy.
“This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy,” Lookout said. “This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government.”
NotCompatible will automatically start downloading if the hacked website detects an Android device is visiting by looking at the web browser’s user-agent string, which specifies the device’s operating system.
The hacked websites have an hidden iframe, which is a window that brings other content into the target Web site, at the bottom of a page. The iframe causes the browser to pull content from two other malicious websites hosting NotCompatible. If a PC accesses either of those websites, a “not found” error is displayed, Lookout said.
After the malware downloads, the device will ask a user to install the application. But for it to be installed, the Android device’s settings must have “unknown sources” enabled, Lookout said. If the setting is not enabled, only applications from the Android Market, now called the Google Play store, can be installed.