The download is triggered only if the user visits the page with a browser with the word “Android” in its user-agent header. To other users, a "not found" error or a blank page is returned.
The installation of the app - actually a Trojan dubbed "NotCompatible" - will be blocked by the device if the “Unknown sources” setting is enabled (meaning that the installation of apps from sources other that Google Play is allowed.
The other good news is that that the Trojan must ask the user for permission to be installed, but that doesn't mean much if the target is an inexperienced user.
"Based on our current research, NotCompatible is a new Android Trojan that appears to serve as a simple TCP relay/proxy while posing as a system update," shared the researchers. "This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy."
They also say that the threat isn't big, as currently just a number of sites have been injected with the malicious code and they have relatively low traffic.
But even though this piece of malware does not seem to hide its intentions well, the fact remains that it can be used to gain access to enterprise or government information or systems.
And the fact that not a great many sites have been compromised to serve it might mean that this particular attack is only an experiment. If it goes well, the criminals behind it might consider mounting other similar ones.
Currently, the Trojan is served from gaoanalitics.info and androidonlinefix.info, and the C&C domain is located on notcompatibleapp.eu.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.