Android-powered smartphones or tablets are reportedly being targeted with malicious software that puts them at the mercy of hacker overlords, security firm Lookout warned consumers on Wednesday. In other words hackers can now effectively turn Android phones into so-called botnets, a compromised device that can be used to communicate with other infected devices for nefarious purposes.
It appears that a nasty mobile malware campaign targeting Android users has hit between four million and 4.5 million Americans since January of 2013, according to an estimate by Lookout, a San Francisco mobile security company that has been tracking the malware for about two years. The latest variant of the malware, NotCompatible.C, also uses end-to-end encryption, so that its botnet traffic will “appear as binary data streams, unremarkable and indistinguishable from legitimate encrypted traffic such as SSL, SSH or, VPN traffic.”
“NotCompatible C. has set a new bar for mobile malware sophistication and operational complexity,”
the firm said.
“The command infrastructure and communication perseveres and self-protects through redundancy and encryption, making it elusive and enduring. It’s an earthworm with its tail cut off that regenerates and thrives.”
NotCompatible is an Android malware that has been active since at least 2012. The malware targets smartphones and tablets using drive-by downloads and uses them as a launch point to spread through corporate networks.
The malware has been getting onto smartphones by first infecting a legitimate website. When users visit that website from their phone, they unwittingly download the malicious code. This particular strategy is
“one of the first times hacked websites were used at a large scale to specifically target and infect mobile devices,”
said Tim Strazzere, Lookout’s lead research and response engineer, in a blog post.
In other cases, the attackers sent spam from hijacked email accounts to their victims. That technique, Lookout’s researchers say, successfully caused more than 20,000 infections a day. More recently, researchers say, attackers have been tricking their victims into installing the malicious code by disguising it as a “security patch” in an email attachment. In others, spam emails advertised weight loss solutions with a link that served up malware to Android users.
Moreover National Security Agency Director Michael Rogers sees mobile hacking as a Top 3 concern in 2015.