A lot of recent attacks on Android users are attributed to fake websites of popular applications such as Cut the Rope, Instagram, Angry Birds, or Grand Theft Auto III. However, the very recently discovered malware NotCompatible uses a distribution method not previously seen in the mobile world. The malware hacks into vulnerable websites to inject a hidden iframe that points to a malicious application. This app is downloaded to the device without user consent when the victim visits the infected legitimate website. Let’s take a deeper look into this malicious application, which has a very interesting payload that is not common in the mobile world.
Several websites have been found with an injected hidden iframe, most of them based on an old version of WordPress and with a bad permission structure.
That piece of code redirects to another host, hxxp://android[censored]fix.info/fix1.php, that detects if the browser agent is Android. In this case, the server gives the device the URL that points to the Android install package, which will be automatically downloaded and saved onto the device’s SD card. The malware is downloaded, but not executed; it requires user assistance to activate. To accomplish that step, the application names the downloaded file Update.apk and the application com.Security.Update to trick the user into believing that the download is a legitimate Android system update:
As we see in the preceding images, NotCompatible will automatically start at boot. For this reason the application does not have an icon. It starts as a service running in the background only after reboot or when the device screen changes its state (between locked and unlocked). This service opens a backdoor to receive commands from a remote server.
The remote IP and port servers are encrypted with AES inside the .apk in /res/raw/data. During analysis, we decrypted this as notcompatibleapp.eu port 48976 and 3na3budet9.ru port 38691. These parameters can be changed via a remote command sent by the control server.
NotCompatible uses the New I/O Proxy API implementation, which is a low-level API that provides access to intensive input/output operations. This API provides attackers an effective method to send and receive commands in custom packages.
Once the service is started, NotCompatible communicates with its control server to send TCP data packages with customized commands. The first message sent by the infected device is the following (always sent via TCP port 8014):
04000001050000000007000000
The control server receives this message, confirming that the infected device is active, and it responds with a Ping message:
040000010100000004
To this the infected device responds with a Pong:
040000010100000005
After this initialization protocol, the control server asks the device to access a specific HTML web page to authenticate itself by validating the string A35T7G:
We have seen similar behavior in a Windows PC malware (detected by McAfee as Generic.dx!bd3j) that sends and receives the same data packages to the same port but with a different control server IP address. This suggests that the infected mobile devices and the PC malware probably belong to the same botnet.
These commands can be remotely executed by the control server:
- Send Error: Sends a custom packet with a specific byte when the command sent by the control server is invalid
- ConnectProxy: Obtains the IP address and port as parameters and tries to open a connection to that remote host, probably to forward the network traffic sent by the control server to another host
- ShutdownChannel: Closes a specific connection with a remote host
- sendPong: Sends a custom packet with a specific byte when a packet with the last byte “4” is received (the ping). It is used by the control server to test network connectivity with the infected device.
- setTimeOut: Sets a specific period during which the connection to a remote host is alive
- newServer: Updates the configuration (AES encrypted in data.bin file inside the device) with a new control server
- newReservServer: The same as newServer but with a backup control server
Based on our previous analysis, we conclude that NotCompatible is an unusual Android malware delivered to users using a drive-by attack that could represent a proof of concept for a targeted attack. The malware was designed to execute stealthy remote commands and act as a server proxy to redirect traffic through the device. This could be used to avoid the tracking of illicit acts by making the network traffic anonymous. Also, based on the network traffic similarities (commands, ports, strings), it is very possible that both the Android and PC malware belong to the same botnet. We will probably see more Android malware of this kind. McAfee Mobile Security detects this threat as Android/NotCompatible.A.