Not Compatible Malware a threat to Mobile users of Enterprises


NotCompatible.A, which researchers discovered in 2012, acted as a proxy on infected devices, but it didn't cause any direct damage. The mobile malware's authors did not use a complex command and control (C&C) architecture and communications were not encrypted, making it easy for security solutions to detect its activities.



New features in NotCompatible.C



The latest version of the threat, NotCompatible.C, is far more complex. According to Lookout, the authors have made it more difficult to detect and resilient to takedowns by implementing features usually found in mature PC-based malware.

Not Compatable C. uses peer-to-peer (P2P) communications between infected devices, which makes it resilient to IP and DNS blocking, and it relies on multiple C&C servers that are geographically distributed, which enables the malware to function properly even if law enforcement authorities manage to shut down individual servers.

The malware's authors have also started encrypting all C&C and proxied traffic, making it difficult for network security solutions to identify the malicious traffic. Furthermore, public key cryptography is used for mutual authentication between C&C servers and clients.

In an effort to protect their infrastructure, the cybercriminals use a gateway C&C to analyze incoming connections, and block those that come from IP addresses that are not trusted.

NotCompatible.C distribution and use

NotCompatible.C is distributed through spam campaigns and compromised websites. The attackers are not leveraging any exploits, but instead rely on social engineering to trick potential victims into installing the threat on their mobile devicese. One of the distribution campaigns observed by Lookout used the classic "security update" ruse.

According to the security firm, the cybercriminals have acquired compromised websites and accounts in bulk. In one of the spam runs seen by researchers, only Yahoo accounts had been used. In a different campaign, the attackers used only compromised AOL accounts.

These techniques have been successful. Lookout says its solutions have blocked hundreds of thousands of infection attempts in the United States and other countries around the world. In the U.S. for instance, NotCompatible reached encounter rates of more than 1% at its peak, researchers noted.

Read full Article at securityweek