Thursday, June 27, 2013

NoCom malware is still spreading.

     A recent blog posting from Virus Bulletin has given updated information for an Android Trojan called NotCompatible that was first noticed by Lookout in May. Not much has changed since the original samples which can currently be found on Contagio Mobile. I got a chance to take a quick look at this new version, which can be downloaded here (Password = infected) after receiving some spam from a friend in my contact list with a Yahoo account.

   A quick overview shows that the link on the hacked site (this one is already inactive as these change about every 24 hours) when click on with anything other then an Android device will redirect to a scam designed to get the user to purchase a fake product. The link (hxxp://eefxxs[dot]com/) is a fake Fox News report on a "miracle" diet supplement.  I have informed Fox of the copyright infringement and will update the post if the fake Fox News Report has been removed.

  When clicked with an android device it will redirect and download the "Android Security Update".  Of-course never install anything that downloads seemingly out of no where and especially from a link in an email.
However, with the guises of an official security update and lack of permissions (The only permission it requires is use of the internet) a user may be tricked into installing this.

     Info for the sites this redirects to can be found on Virus Total's reverse IP lookup feature using the IPs:

    Once installed it runs in the background with no icon. It also takes up very little processing power and battery. How this app works is anytime the Android device connects to the internet the app will then announce itself to the Command and Control server and allow the device to be used as a TCP relay. The Android device can then be used as a Proxy to hide more criminal activity. It can potentially cause problems with devices on limited data plans or be used to steal unencrypted internet traffic through the device.

The current C&C server in this variation is:

Originally it used hxxp://notcompatible[dot]eu/, hence the name NotCompatible.

Stay safe out there

Skip the Android malware & get a safe Trojan free factory unlocked iPhone! 

Shop Amazon - Unlocked iPhones