Mobile security firm Lookout detailed how the malware has grown in complexity to hide its botnet activity.
Mobile security firm Lookout detailed how the malware has grown in complexity to hide its botnet activity.

Researchers have tracked the evolution of Android malware, called “NotCompatible,” and found that the threat has picked up tricks that enhanced its persistence, making it the longest running mobile botnet they've observed yet.

Mobile security firm Lookout detailed its findings in a Wednesday blog post. Discovered by Lookout in 2012, NotCompatible was initially used as a proxy to further spam campaigns. Today, however, the malware has spawned a formidable botnet capable of spamming users, carrying out click-fraud, fraudulent online ticket purchasing, automated exploitation (such as brute-force attacks against WordPress), and c99 shell control, Lookout revealed.

Jeremy Linden, senior security product manager at Lookout, told SCMagazine.com in an interview that, since its emergence two years ago, attackers have tried to install NotCompatible on hundreds of thousands of devices operated by its user base. Most of the targeted users were in the U.S., he added.

“The [malware] structure has been completely overhauled,” Linden said. “It's clear it took a lot of time and technology to build this. The servers are dispersed internationally and [attackers] are designing their systems to be resilient, so if someone like us is able to take down one of the C2 servers, they are able to bounce back and use another command-and-control server.”

Linden continued, adding that the botnet of infected devices can communicate in a peer-to-peer fashion, “so the bots can talk to each other,” as opposed to communicating with a control hub, should a server go down.

“They will still mange to get the commands through,” Linden explained.

The latest variant of the malware, NotCompatible.C, was first detected by Lookout last year. In its blog post, the firm charted infection rate spikes in the U.S. since January 2013. The post noted that NotCompatible.C also uses end-to-end encryption, so that its botnet traffic will “appear as binary data streams, unremarkable and indistinguishable from legitimate encrypted traffic such as SSL, SSH or, VPN traffic.”

Lookout determined that the botnet is likely being rented out to scammers, and warned that the malware could make its way into an enterprise environment, if an infected device is brought into an organization.

“Using the NotCompatible proxy, an attacker could potentially do anything from enumerating vulnerable hosts inside the network, to exploiting vulnerabilities and search for exposed data,” the blog post said.

In his interview with SCMagazine.com, Linden said that the malware is primarily delivered to victims by way of malicious emails opened on mobile devices, or via drive-by download as mobile users visit “sketchy websites on [their] phone.” NotCompatible is often disguised as a system update, in an attempt to lure users into installing the malware, he added.