Reddit user georgiabiker appears to have discovered a new drive-by malware attack targeting Android users visiting compromised websites.
The sites distributing the malware have been injected with a malicious iframe (Troj/Iframe-HX) that looks at the User Agent string sent by the browser to see if it contains the string “Android” and if so directs the device to download a malicious Android package (APK).
Similar to Andr/Opfake-C, which Vanja Svajcer from SophosLabs wrote about in February, the malware is not automatically installed, rather it is downloaded and expects you to install it.
This malware, which Sophos Anti-Virus detects as Andr/Notcom-A, is a bit more stealthy than Andr/Opfake-C by disguising itself as a security update.
Lookout Mobile Security did an analysis and came to the conclusion this malware is designed to be a proxy. If that is true its purpose could be data theft for devices that are connected up to corporate networks or VPNs.
Vanja isn’t as sure. He notes that the malware can be directed to communicate with different command and control servers and could have bot functionality as well.
Unlike many other Android Trojans we have analyzed this one only requests network permissions, so the intention doesn’t appear to be collecting all of your contact details, SMSs, email and other personal details.
One of the command and control domains is 3na3budet9[dot]ru, which loosely translates to “3 on 3 will be 9”, implying that whoever is behind this is likely Russian, or has an understanding of the Russian language. Not surprising really, but interesting.
Don’t install unknown packages on your smartphone, random websites are not likely to provide you with security updates. If you are an Android user even your carrier or phone manufacturer is unlikely to supply you with security fixes, so don’t be fooled.
Vanja joined me for Chet Chat 70 after last year’s Black Hat conference to discuss the Android patching problem, why not give it a listen?.Follow @chetwisniewski