NotCompatible.A, which researchers discovered in 2012, acted
as a proxy on infected devices, but it didn’t cause any direct damage. The
mobile malware’s authors did not use a complex command and control (C&C)
architecture and communications were not encrypted, making it easy for security
solutions to detect its activities.
New features in NotCompatible.C
The latest version of the threat, NotCompatible.C, is far
more complex. According to Lookout, the authors have made it more difficult to
detect and resilient to takedowns by implementing features usually found in
mature PC-based malware.
Not Compatable C. uses peer-to-peer (P2P) communications
between infected devices, which makes it resilient to IP and DNS blocking, and
it relies on multiple C&C servers that are geographically distributed,
which enables the malware to function properly even if law enforcement
authorities manage to shut down individual servers.
The malware’s authors have also started encrypting all
C&C and proxied traffic, making it difficult for network security solutions
to identify the malicious traffic. Furthermore, public key cryptography is used
for mutual authentication between C&C servers and clients.
In an effort to protect their infrastructure, the
cybercriminals use a gateway C&C to analyze incoming connections, and block
those that come from IP addresses that are not trusted.
NotCompatible.C distribution and use
NotCompatible.C is distributed through spam campaigns and
compromised websites. The attackers are not leveraging any exploits, but
instead rely on social engineering to trick potential victims into installing
the threat on their mobile devicese. One of the distribution campaigns observed
by Lookout used the classic “security update” ruse.
According to the security firm, the cybercriminals have
acquired compromised websites and accounts in bulk. In one of the spam runs
seen by researchers, only Yahoo accounts had been used. In a different
campaign, the attackers used only compromised AOL accounts.
These techniques have been successful. Lookout says its
solutions have blocked hundreds of thousands of infection attempts in the
United States and other countries around the world. In the U.S. for instance,
NotCompatible reached encounter rates of more than 1% at its peak, researchers
noted.
