News Stay informed about the latest enterprise technology news and product updates.

Android mobile attack: Hacked websites target Android users

For the first time, cybercriminals are using compromised websites to conduct drive-by attacks targeting Google Android users.

Security researchers have discovered compromised websites targeting Android devices with a suspicious mobile application, in what appears to be the first time the drive-by attack technique is being used by cybercriminals via hacked sites to target mobile users.

A device infected with NotCompatible could potentially be used to gain access to protected information or systems, such as those maintained by enterprise or government.

Lookout Inc.

The research team at San Francisco-based mobile security firm Lookout Inc. discovered compromised websites hosting a download called NotCompatible. An Android user could fall victim to the attack by simply visiting a compromised website in their mobile Web browser. The malicious code automatically begins downloading the suspicious NotCompatible application.

A variety of fairly sophisticated attack toolkits have made it easy for cybercriminals to set up drive-by attacks by making the process almost completely automated. But up until now, mobile drive-by attacks using compromised websites have been theoretical. According to a threat report issued by security researchers at U.K.-based security vendor Sophos, drive-by attacks skyrocketed in 2011, primarily driven by users of the popular Black Hole exploit kit. Desktop and laptop users can prevent drive-by attacks by controlling Java, Javascript, Flash and other code from automatically executing in the browser.

So far the threat of Android users falling victim to mobile drive-by attacks appears to be low. Lookout said it discovered the Android attack being used on two compromised websites and traced the communication to a .eu command-and-control server. The attack itself involves a high amount of user interaction.  Once the application is downloaded, the user will be prompted to click on a notification to confirm the install. For the attack to work, victims must have their Android device set to accept apps from unknown sources.

The attackers appear to be compromising sites with a hidden iFrame at the bottom of each page, Lookout said. NotCompatible, which appears to the victim as an application called “Update.apk” poses as a system update, but sets up the phone as a proxy that can be used to access private networks. Lookout said it has not seen any malicious activity associated with infected devices.

“This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy,” Lookout said in a blog post describing the mobile drive-by attack technique. “A device infected with NotCompatible could potentially be used to gain access to protected information or systems, such as those maintained by enterprise or government.”

Attacks targeting Android devices have increased, making it the top mobile malware platform, according to Kaspersky Lab, but most experts admit the risk from mobile malware is still extremely low. A larger threat looming for enterprises is lost and stolen devices and data leakage, said security experts. At RSA Conference 2012, security experts called for more Android mobile malware research to try to address the issue before attacks become more widespread. The fear is that some apps can become weaponized to collect sensitive data and perform unauthorized activity.

Dig Deeper on Mobile security threats and prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.