A number of compromised websites are serving a new Trojan targeting Android devices, according to mobile security firm Lookout.
When Android users visit the infected websites, the NotCompatible Trojan automatically begins to download.
This is a new distribution method, according to Lookout. Hacked websites are frequently used to infect PCs with malware, but this is the first time the firm has seen hacked websites used to target mobile devices.
According to the firm's researchers, the Trojan appears to serve as a simple TCP relay or proxy while posing as a system update.
"This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy," the research team said on a blog post.
Distribution of NotCompatible depends on compromised websites that have a hidden iframe that is used to deliver the malicious file, identified as ‘Update.apk’.
Like any drive-by downloads, the Lookout team said a user needs to install the downloaded application before a device will be infected.
When the Trojan finishes downloading, the Android device will display a notification prompting the user to click on the notification to install the downloaded app. But in order to install the app to a device, it must have the “Unknown sources” setting enabled, otherwise it will be blocked.
"Based on our initial investigation, we’ve confirmed that a number of websites have been compromised. However, affected sites appear to show relatively low traffic and we expect total impact to Android users to be low," they said.
IT administrators should note that the Trojan can be used to access private networks. A device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government, Lookout warns.