A recent spam campaign exhibits more than the usual amount of cleverness, as described by Jim Clausing at the SANS Institute.
Clausing investigated a suspicious email of a type that was spreading several weeks ago. It contained a link which, when followed on most platforms, went to a typical spam site. When followed on Android, it distributed Android malware.
I received a similar email with the same domain links in it and the same general characteristics. Here is mine:
I haven't blurred out the link because, as Clausing reports, there is no longer malware there. When I test the URL from Chrome on a PC, I am redirected to a Canadian pharmacy site, a classic spam target as Clausing says. When I test it from Chrome on Android, I am redirected to the root of the domain, which says that the domain is for sale. I am not served any malware. So the malware itself has been taken down, but the OS-specific redirect (which then used a META refresh tag to serve the malware when it was still up) is still in place and the spam links still functional.
The malware itself, according to Clausing, was the latest version of "DroidNotCompatible." Based on some Googling, this appears to be the malware usually called "NotCompatible" and which comes in a file named update.apk.
In order to run the attack, one must first enable installs from untrusted sources in Android settings and then choose to run the APK from the downloads folder. So it's far from a true drive-by, but it's still interesting that it downloads only on Android devices.