New NotCompatible malware targeting Android devices

The first time we heard of the Android malware called NotCompatible was back in 2012 when it surfaced and spread via hacked websites. A new version of NotCompatible is now making the rounds and it has the potential to target enterprise networks. The latest version of the NotCompatible malware is dubbed NotCompatible.C and it has the ability to self protect via redundancy and encryption.

Those features make the malware difficult to find and remove from infected devices. The malware is used as a proxy to run spam campaigns or scalp concert tickets. The difference between the first version of this malware back in 2012 and the version circulating today is massive according to Lookout.

Lookout says that its investigations have shown the possibility that the malware could assist in attacks on corporate networks, potentially allowing controllers to steal data. Technical innovation in NotCompatible.C is on par with what Lookout says is more often seen in PC-based malware. NotCompatible.C is a botnet-for-rent and has a server architecture, peer-to-peer communications, and encryption capabilities.

The sophistication of the botnet makes it one of the longest running botnets that Lookout has observed. The new malware version uses a two-tiered server architecture with a gateway command and control C2 servers using a load balancing approach. Infected devices are segmented geographically and only authenticated clients are allowed to connect. There are ten separate C2 servers that the devices can connect to creating redundancy that makes the malware hard to defeat. Traffic between the clients and the C2s is encrypted and appear as binary data streams that are indistinguishable from legitimate traffic.

SOURCE: Lookout