A new version of the NotCompatible malware, which first appeared in 2012, is bigger, badder and pretty much indestructible, Lookout Security reported.
And it can compromise corporate networks, thanks to the BYOD trend.
The malware, called “NotCompatible C,” focuses on Android devices.
“Given this is an Android Trojan and the app is not trusted by Google, it would need the ‘Unknown Sources’ special permissions [of the Android OS] to install,” Armando Orozco, a senior malware intelligence analyst at Malwarebytes, told LinuxInsider. “So users just have to not install apps from untrusted sources.”
What NotCompatible C Is and Does
The NotCompatible Trojan is used to spread spam campaigns on Yahoo, Comcast, AOL and Live; for bulk ticket purchases on Ticketmaster, Livenation, Eventshopper and Craigslist; for brute force attacks against WordPress; and for c99 shell control, where the attacker logs into OS shells and performs various actions.
NotCompatible C has a two-tiered server architecture, Lookout said.
The gateway command and control (C2) server uses load balancing — it filters and segments infected devices from different IP address regions geographically. Only authenticated clients are allowed to connect to the server.
That provides network efficiency and makes it difficult for behavioral analysis systems and researchers to pick up on traffic.
Once a device has made contact with the operational C2, it downloads a list of other infected devices, or clients.
Clients can connect with each other and share intelligence, forming a peer-to-peer network. If the C2 server to which a device initially connects is taken down, it can find new C2s through its links to its peers.
Further, all communications between the clients and the C2s are encrypted, and NotCompatible C traffic appears as binary data streams, indistinguishable from legitimate encrypted traffic such as SSL, SSH or VPN.
How NotCompatible Spreads
NotCompatible C users rely on social engineering tactics such as spam campaigns and compromised websites harboring drive-by downloads to trick victims into installing the malware.
The operators apparently have made bulk purchases of compromised accounts and websites — Lookout has observed spam campaigns tied to specific groups of compromised accounts.
Once an infected mobile device is brought into an organization, attackers can use NotCompatible C’s proxy feature to scan the network for vulnerable hosts or to exploit vulnerabilities and search for exposed data, Lookout suggested.
It has observed “hundreds” of corporate networks with devices that have encountered the Trojan.
“Any P2P C2 infrastructure that also uses encryption is difficult to detect at the network level,” Oliver Tavakoli, CTO of Vectra Networks, told LinuxInsider.
The IP addresses being communicated “are unpredictable and cannot reasonably be put on reputation lists because the infected hosts sit behind network address translation (NAT) devices,” Tavakoli explained. “And the payload is typically unpredictable due to encryption and makes developing an IPS signature difficult.”
However, the malware can be spotted because “the way in which it makes money for its owner — spam, brute force and so on — is detectable in the network,” Tavakoli said.
Preventing NotCompatible C Infections
There are two ways to prevent NotCompatible C from attacking the enterprise, Patrick Murray, vice president of products at Zimperium, told LinuxInsider.
One is to install a product like Zimperium, which protects against spearphishing and browser-based attacks by looking at the behavior of the device when malware tries to run on it.
Another is to use a URL-filtering solution that detects known C2 devices used by botnets and blacklists them, but “this only works once the attack has compromised the device and begins to phone home,” Murray said.
If traffic ran through WiFi or a company’s virtual private network, then detection “could be added if the proper appliances were in place,” Orozco suggested. Still, corporations should “educate their staff on the risks of installing unwanted apps and clicking or tapping on spam links.”