Lookout Mobile Security's analysts have found hacked websites with the purpose of delivering malicious software to Android running devices. Apparently, that was a new attack vector created for the mobile OS. The type of attack is common on desktops and it is called the drive-by download. What happens is that when someone goes to a hacked site, the malware can clearly infect it if its patches are not up to date.
Lookout said in its blog that it seems to be the first time that sites that have been compromised are utilized to distribute malware that targets Android devices. Moreover, it said that it saw many compromised websites perform the attack even if the traffic of those sites is low. Lookout hopes that the effect to Android users will not be great.
The self-installing malware that is dubbed as NotCompatible looks like a proxy or TCP relay. According to Lookout, the threat does not seem to pose any direct damage to a device it targets. However, it can possibly be utilized to obtain illegal access to networks that are private by making a proxy out of an infected Android device.
The feature on its own can be essential for IT administrators of a system because an infected device can be possibly used to obtain access to systems or information that are usually protected like the ones maintained by the government or enterprise. NotCompatible begins downloading automatically if the hacked site detects a visiting Android device by checking the user-agent string of the website's browsers that gives the specific operating system of the device.
The hacked site has a concealed iframe, a window that transfers other content into the target website, at the page's bottom part. The iframe lets the browser get the content of two other malicious websites that host NotCompatible. Lookout said that if a computer accesses any of those sites, a not found error shows.
After the download of the malware, the user will be asked by the device to install the application. However, in order for the installation to happen, the settings of the device must enable the "unknown sources," said Lookout. If it is enabled, Android Market's applications which are currently called the Google play store may be installed.