14 DAY TRIAL // Security researchers from ThreatTrack Security’s AV Labs have spotted a new variant of the NotCompatible Android Trojan, a threat identified by Lookout back in May 2012.
According to experts, the threat is distributed via hijacked Yahoo accounts. The cybercriminals use the compromised account to send out emails that only contain a link.
If the link in question is accessed from a Windows or a Mac OS X machine, victims are taken to a miracle diet scam site. However, if the link is accessed from an Android phone, the user is directed to a site that serves a malicious APK which poses as a security update for Android.
What’s interesting about the threat, identified by VIPRE Mobile as Trojan.AndroidOS.NoCom.a, is that it doesn’t request too many permissions during installation, which makes it less suspicious.
Once it finds itself on a device, NotCompatible silently runs in the background. It doesn’t eat up a lot of resources and battery, and it doesn’t use a discernible icon.
However, once the Trojan contacts its command and control server, it turns the infected device into a TCP relay.
“An Android device turned into a TCP relay basically acts as a mechanism or a medium for downloading files,” warns ThreatTrack Security researcher Dean Lawrence Bueno.
“Once Trojan.AndroidOS.NoCom.a is granted permission to connect to the Internet, the C&C server can then begin transferring files to and from the infected device without prompting or alerting unsuspecting users.”
This means that the threat can download additional malicious components. It can also steal unencrypted traffic.
“When it comes to mobile security, it pays to be extra careful when handling emails (which may or may not be spam) and URLs (which may or may not be malicious). Bear in mind that smartphones and tablets run on operating systems that are dramatically less secure than OSes that have been around for at least 10 years,” ThreatTrack’s Jovi Umawing noted.