ra2 studio - Fotolia
The NotCompatible mobile malware reportedly has a new variant called, NotCompatible.C, which one security firm called the most sophisticated mobile malware it has ever seen. What makes it so different from prior malware and how can its new features/functions be mitigated?
The new mobile variant of NotCompatible -- NotCompatible.C -- includes many advancements. For example, it avoids detection by using a peer-to-peer (P2P) communication protocol, end-to-end encryption for all connections, and other anti-network behavioral analysis techniques to connect to its multiple command and control servers. It can also provide proxy functionality, allowing attackers into the target network through compromised devices; this can also be achieved by issuing execution commands to its bots.
To trick users into installation, NotCompatible.C uses standard drive-by download and social-engineering tactics.
The malware's primary purposes are spam campaigns, bulk ticket purchasing and brute-force attacking. It also provides a botnet-for-hire service.
The risks of NotCompatible.C can be mitigated by enterprises, but will require careful planning. To begin, standard social-engineering and drive-by download protections are essential.
Additionally, enterprises could supply, securely configure and manage the enterprise mobile devices to prevent social engineering from being successful, however this will not always work, and is not possible in a bring your own device environment.
Prevention will be critical to boosting mobile malware protection since the NotCompatible.C's network evasion tactics make it difficult to detect. NotCompatible.C can be blocked using mobile device management security software. Another option is to segment enterprise networks so that mobile devices -- or any untrusted devices -- are placed on a restricted network with minimal access to corporate data. This is good advice in general and will help manage other risks.
While NotCompatible.C has advanced functionality to evade network behavioral analysis, there is no SSL session initialization in the custom protocol used, making it stand out from legitimate SSL traffic -- network monitoring tools like an intrusion detection system should be able to detect it.
Ask the Expert:
Perplexed about enterprise security? Send Nick Lewis your questions today. (All questions are anonymous.)
Gain further insight into mobile device protection and preventing mobile malware.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading