One of the most sophisticated pieces of smartphone malware has been uncovered which could infect entire corporate networks if just one device is compromised.
The malware, which was discovered by mobile security specialists Lookout, is called NotCompatible and would allow those using it to spread within a corporate network and steal data while advanced detection techniques make it much harder for traditional security measures to spot.
NotCompatible gives attackers remote access to protected networks through any connected mobile device, including corporate Wi-Fi and VPNs.
This is the third iteration of the malware first spotted in 2012, and features huge technical improvements over the original version. Summing up what it can do, Lookout said:
At its heart, NotCompatible.C is an unrestricted proxy on a mobile device that offers the operators unfettered access to protected networks to which these devices connect. An infected [smartphone] present on an enterprise network would potentially allow attackers to enumerate vulnerable hosts inside the network, exploit vulnerabilities in these hosts and exfiltrate data.
NotCompatible targets Android smartphones and tablets and while the malware itself is very sophisticated, the way the attackers attempt to infect devices is not.
The "unsophisticated but effective" distribution stands in stark contrast to the sophistication of the malware itself. The attackers use techniques such as drive-by-downloads through spam email campaigns and compromised websites to help spread the malware.
Lookout researchers observed NotCompatible spam campaigns where each campaign used a different block of compromised email accounts, including one campaign which used compromised accounts from AOL, while another used compromised Yahoo! accounts.
The malware does not take advantage of any vulnerability in Android, preferring to rely on social engineering to trick users into installing what look like updates.
For example, one spam email we have observed targeting Korean companies informs the user that they need to install a "security patch" in order to view an attached file. Other spam emails advertised weight loss solutions and some included nothing more than a link that served an APK to Android devices.
Looking at those behind the malware, Lookout says it believes that either NotCompatible's operators are "a large, multi-faceted cybercrime group" or provide access to their network to other cybercrime groups.
Those in charge have adopted a rent-a-botnet business model, renting out their infected network of devices for such things as:
- Spam campaigns (weight loss);
- Bulk ticket purchasing (Craigslist, Ticketmaster, StubHub); and
- Brute-force attacks against WordPress website administration panels.
"Given the potential security risk this latest variant poses to enterprise networks, we encourage security organisations to increase monitoring of mobile device network activity and deploy protection against attacks of this kind," the security company said.
Lookout added that protecting against NotCompatible is not that straightforward as the creators of the malware have built in methods of avoiding detection, being particularly difficult for network-based security systems to detect or block.