Notcom malware for Android distributed using drive-by downloads

Filed Under: Android, Featured, Malware, Mobile

Reddit user georgiabiker appears to have discovered a new drive-by malware attack targeting Android users visiting compromised websites.

The sites distributing the malware have been injected with a malicious iframe (Troj/Iframe-HX) that looks at the User Agent string sent by the browser to see if it contains the string "Android" and if so directs the device to download a malicious Android package (APK).

Notcom package installed on Android phoneSimilar to Andr/Opfake-C, which Vanja Svajcer from SophosLabs wrote about in February, the malware is not automatically installed, rather it is downloaded and expects you to install it.

This malware, which Sophos Anti-Virus detects as Andr/Notcom-A, is a bit more stealthy than Andr/Opfake-C by disguising itself as a security update.

Lookout Mobile Security did an analysis and came to the conclusion this malware is designed to be a proxy. If that is true its purpose could be data theft for devices that are connected up to corporate networks or VPNs.

Vanja isn't as sure. He notes that the malware can be directed to communicate with different command and control servers and could have bot functionality as well.

NotCom Trojan permissionsUnlike many other Android Trojans we have analyzed this one only requests network permissions, so the intention doesn't appear to be collecting all of your contact details, SMSs, email and other personal details.

One of the command and control domains is 3na3budet9[dot]ru, which loosely translates to "3 on 3 will be 9", implying that whoever is behind this is likely Russian, or has an understanding of the Russian language. Not surprising really, but interesting.

Don't install unknown packages on your smartphone, random websites are not likely to provide you with security updates. If you are an Android user even your carrier or phone manufacturer is unlikely to supply you with security fixes, so don't be fooled.

Vanja joined me for Chet Chat 70 after last year's Black Hat conference to discuss the Android patching problem, why not give it a listen?.

, , , ,

You might like

2 Responses to Notcom malware for Android distributed using drive-by downloads

  1. Conrad Longmore · 817 days ago

    Check the IP address of 3na3budet9.ru (and also there seems to be another C&C server of notcompatibleapp.eu) .. it's 141.0.172.199.

    What’s significant about this IP is that it *also* hosts xvideos.com (a hugely popular porn sie), and they’ve been distributing malware before – http://blog.dynamoo.com/2011/11/xvideoscom-compro...

  2. idtpjulian · 817 days ago

    This Trojan is only applicable if side-loading is enabled on the Android device. By default this is disabled so 'general' users will not need AV protection. Those that like playing with their devices would be advised to use an AV solution or be extra careful when visiting known malicious websites.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.