A number of legitimate but compromised websites have been spotted serving Android malware to unsuspecting visitors, warns Lookout.


The downloading of the malware, which poses as a system update, is triggered automatically thanks to the hidden malicious code (iFrame or JavaScript) located at the bottom of each page.

The download is triggered only if the user visits the page with a browser with the word “Android” in its user-agent header. To other users, a "not found" error or a blank page is returned.

The installation of the app - actually a Trojan dubbed "NotCompatible" - will be blocked by the device if the “Unknown sources” setting is enabled (meaning that the installation of apps from sources other that Google Play is allowed.

The other good news is that that the Trojan must ask the user for permission to be installed, but that doesn't mean much if the target is an inexperienced user.

"Based on our current research, NotCompatible is a new Android Trojan that appears to serve as a simple TCP relay/proxy while posing as a system update," shared the researchers. "This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy."

They also say that the threat isn't big, as currently just a number of sites have been injected with the malicious code and they have relatively low traffic.

But even though this piece of malware does not seem to hide its intentions well, the fact remains that it can be used to gain access to enterprise or government information or systems.

And the fact that not a great many sites have been compromised to serve it might mean that this particular attack is only an experiment. If it goes well, the criminals behind it might consider mounting other similar ones.

Currently, the Trojan is served from gaoanalitics.info and androidonlinefix.info, and the C&C domain is located on notcompatibleapp.eu.