A new, more sophisticated and more stealthy version of the NotCompatible Android Trojan continues to strengthen one of the most long-lived and advanced mobile botnets ever to exist (since mid-2012).
Posing as a “security patch” and distributed to victims via drive-by downloads from compromised websites and spam emails from compromised webmail accounts, NotCompatible.C shows many changes when compared to earlier variants.
The malware serves as a proxy, and the botnet – thought to be for-rent – is used for spam campaigns, bulk ticket purchasing, bruteforce attacks (mainly against WordPress sites), and accessing c99 shells.
“Traditionally mobile malware operators have not done so much to protect their infrastructure or communications. NotCompatible.C, however, employs a two-tiered server architecture,” Lookout’s Tim Strazzere explains the botnet’s endurance.
“The gateway command and control server uses a load balancing approach, in which infected devices from different IP address regions are filtered and segmented geographically, and only authenticated clients are allowed to connect. Not only does this model bring client usage efficiency, our research suggests that it also aids in avoidance of discovery. We suspect that the gateway C2 makes it difficult for behavioral analysis systems and researchers to pick up on traffic.”
Also, all communications between the clients and C&Cs are encrypted and virtually indistinguishable from legitimate encrypted traffic, he pointed out.
The device receives a configuration file from the C&C server, which includes pointers to all the others servers used to control the botnet, but also to other infected clients. This way it can contact the latter in case its communication with the listed servers has been blocked or prevented (for example, the servers have been brought down by law enforcement).
But aside for being an obvious nuisance and danger to regular mobile users, NotCompatible also presents a threat to corporate networks.
“We believe that NotCompatible is already present on many corporate networks because we have observed, via Lookout’s userbase, hundreds of corporate networks with devices that have encountered NotCompatible,” Strazzere shared.
Even though it has yet to be spotted being used to target protected networks, a device carrying the malware and connecting to an organization’s network can be used to enumerate vulnerable hosts inside the network, exploit vulnerabilities, search for exposed data, and so on.