In a new whitepaper released today, the San Francisco-based security company details how it has been tacking NotCompatible and the cyber-criminals behind the threat since early 2012, when the company first revealed it as ‘relatively simple piece of malware' disguised as an Android system update which turned infected devices into TCP proxies that could be controlled by attackers.
However, the firm says that the group has now released a new and more sophisticated variant – NotCompatible C – which borrows features commonly found in PC malware. For example, the botnet is resilient to network-based blocking as it uses P2P and has multiple geographically-distributed C&C servers (making it difficult for government agencies to takedown), while it encrypts all C2 and proxied data traffic end-to-end.
The malware performs mutual authentication between clients and C2 servers via public key cryptography and has protocol-level encryption which prevents network security systems from differentiating malicious and legitimate traffic. For example, SSL data is sent over port 443 – the default SSL port.
The botnet is certainly more advanced than its predecessor, which had simple client-server architecture where the device communicated directly with one C2 at a time and which employed no encryption or obfuscation to hide the activity. The original NotCompatible carried out “drive-by-download” attacks where victims were served malicious apps when they visited certain websites.
NotCompatible C is able to infect Android devices not through the usual way of fake or Trojanised apps on Google Play, but rather by sending huge quantities of spam to mobile devices which often lack any sort of security protection.
The devices most under threat, according to the firm, are devices which operate outside the traditional security perimeter. These include Bring Your Own Device (BYOD) smartphones and tablets and hand-held inventory scanners. On the latter, Lookout says hackers have already used such a device to bypass security defences and steal a company's entire financial database.
Once the mobile device is infected, security researchers say that NotCompatible C can be used by attackers to access any network said device was already connected to, such as corporate Wi-Fi networks and VPNs. Fortunately, Lookout traffic suggests that NotCompatible.C clients are connecting to ‘generic' private networks with no evidence suggesting automatic network scanning.
That said, the firm has not yet analysed traffic from infected devices on potentially targeted corporate networks and instead says that it's mostly being used to send huge quantities of spam and bypass ecommerce and anti-fraud mechanisms, bulk ticket purchasing and brute force attacks (such as password guessing on WordPress) and c99 control.
But worryingly, the group says that “a large, multi-faceted cyber-crime group” is providing access to its network to other cyber-crime groups” although it says attribution is tricky as NotCompatible was ‘literally built to obfuscate people's identities'.
The company concluded in its research: “NotCompatible.C possesses distinctive and impressive technical sophistication in the world of mobile malware. Its resiliency, resistance to network-based detection, and self-protection features make it a potent threat in the hands of an attacker. As a mobile botnet with widespread distribution and proxy capabilities, the potential use of NotCompatible.C as a gateway to attack protected networks and systems is not only plausible, but a likely outcome.”
“We believe that NotCompatible is already present on many corporate networks because we have observed, via Lookout's user base, hundreds of corporate networks with devices that have encountered NotCompatible. It's reasonable to assume there are many more devices with active NotCompatible infections that are not protected by Lookout that also connect to corporate networks.”
Lookout product manager Jeremy Linden said in an email to SC: “This is the first time Lookout has seen a mobile botnet of this sophistication. The technology has risen to support a robust rent-a-botnet business - something we've seen for years in the PC world, but less so in mobile. People say that mobile threats aren't a problem, but now we're starting to see the sophistication of PC malware on mobile.
NotCompatible is a changed beast. Its sophistication suggests the malware industry sees mobile as worth spending time, effort, and money on.
Simon Green, cyber-security expert at PA Consulting Group, told SCMagazineUK.com that people are still using the unpatchable flaw despite the sophistication of the Android botnet.
“The weakest link in all of this is still people. Social engineering is the primary attack method which can be mitigated through the use of HoMER (CPNI's people risk approach)”
“Corporate security should look to identify SSL session initialisation as a technical measure, deploying monitoring for mobile devices performing any sort of local network whilst educating people about safe practices”
It is recommended that companies use mobile threat protection, ensure network segmentation and take infected devices and VPNs off the network.