Number:IRCNE2014042149
Date: 2014-04-08
According to “zdnet”, a recent spam campaign exhibits more than the usual amount of cleverness, as described by Jim Clausing at the SANS Institute.
Clausing investigated a suspicious email of a type that was spreading several weeks ago. It contained a link which, when followed on most platforms, went to a typical spam site. When followed on Android, it distributed Android malware.
When I test the URL from Chrome on a PC, I am redirected to a Canadian pharmacy site, a classic spam target as Clausing says. When I test it from Chrome on Android, I am redirected to the root of the domain, which says that the domain is for sale. I am not served any malware. So the malware itself has been taken down.
The malware itself, according to Clausing, was the latest version of "DroidNotCompatible." Based on some Googling, this appears to be the malware usually called "NotCompatible" and which comes in a file named update.apk.
In order to run the attack, one must first enable installs from untrusted sources in Android settings and then choose to run the APK from the downloads folder. So it's far from a true drive-by, but it's still interesting that it downloads only on Android devices.
- 10