

It's not really an update - the NotCompatible malware asks to be installed

Source: Redditor Georgiabiker Criminals have hacked web sites to serve drive-by malware to Android users; the malware poses as a system update that a user is tricked into installing. The malware, dubbed NotCompatible by Lookout Security and initially reported by Reddit user Georgiabiker, is hosted in a iframe at the bottom of a manipulated web page. When a user arrives on the page, a file by the name of "Update.apk" begins downloading immediately.

But it is only offered for installation, as "com.Security.Update", if the user has enabled the "Unknown Sources" setting in the system preferences. If that is not enabled, the installation will be blocked. The malware authors have not exploited any vulnerabilities in Android to install the software and are relying on social engineering and a preference that is often set on Android devices when people want to install software that is not from the official Android Market.

Drive-by downloads such as this are common for Windows PCs, but the sites serving up NotCompatible are being selective; when a user visits one of the sites that is serving up the malware, androidonlinefix.info, the browser's User-agent string is checked and the malware only sent if it contains the word Android.

The malware itself appears to be a simple TCP relay/proxy which could be used to access private networks; it appears to call out to command and control servers at, among others, notcompatibleapp.eu and could allow the operators of the server to route connections from outside a firewall to within a private network belonging to an individual, company or government. The simplest protection against NotCompatible is to only set the "Unknown Sources" system preference when installing software from a trusted source, and to unset it immediately afterwards.

(djwm)