SCF Advanced Search

  • Total Posts: 37717
  • Total Topics: 12399
  • Online Today: 1650
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: ‘Android/NotCompatible’ Looks Like Piece of PC Botnet  (Read 1933 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez

Android alert! Scammers have figured out a way to infect legitimate websites with malicious applications that look like Android system updates. Be careful when browsing the web on your device and “share” this post with your friends so they know about the threat.

‘Android/NotCompatible’ Looks Like Piece of PC Botnet

A lot of recent attacks on Android users are attributed to fake websites of popular applications such as Cut the Rope, Instagram, Angry Birds, or Grand Theft Auto III. However, the very recently discovered malware NotCompatible uses a distribution method not previously seen in the mobile world. The malware hacks into vulnerable websites to inject a hidden iframe that points to a malicious application. This app is downloaded to the device without user consent when the victim visits the infected legitimate website. Let’s take a deeper look into this malicious application, which has a very interesting payload that is not common in the mobile world.

Several websites have been found with an injected hidden iframe, most of them based on an old version of WordPress and with a bad permission structure.

Larger Picture

That piece of code redirects to another host, hxxp://android[censored], that detects if the browser agent is Android. In this case, the server gives the device the URL that points to the Android install package, which will be automatically downloaded and saved onto the device’s SD card. The malware is downloaded, but not executed; it requires user assistance to activate. To accomplish that step, the application names the downloaded file Update.apk and the application com.Security.Update to trick the user into believing that the download is a legitimate Android system update:

Larger Picture

As we see in the preceding images, NotCompatible will automatically start at boot. For this reason the application does not have an icon. It starts as a service running in the background only after reboot or when the device screen changes its state (between locked and unlocked). This service opens a backdoor to receive commands from a remote server.

The remote IP and port servers are encrypted with AES inside the .apk in /res/raw/data. During analysis, we decrypted this as port 48976 and port 38691. These parameters can be changed via a remote command sent by the control server.

NotCompatible uses the New I/O Proxy API implementation, which is a low-level API that provides access to intensive input/output operations. This API provides attackers an effective method to send and receive commands in custom packages.

Once the service is started, NotCompatible communicates with its control server to send TCP data packages with customized commands. The first message sent by the infected device is the following (always sent via TCP port 8014):


The control server receives this message, confirming that the infected device is active, and it responds with a Ping message:


To this the infected device responds with a Pong:


After this initialization protocol, the control server asks the device to access a specific HTML web page to authenticate itself by validating the string A35T7G:

Larger Picture

We have seen similar behavior in a Windows PC malware (detected by McAfee as Generic.dx!bd3j) that sends and receives the same data packages to the same port but with a different control server IP address. This suggests that the infected mobile devices and the PC malware probably belong to the same botnet.

These commands can be remotely executed by the control server:

  • Send Error: Sends a custom packet with a specific byte when the command sent by the control server is invalid

  • ConnectProxy: Obtains the IP address and port as parameters and tries to open a connection to that remote host, probably to forward the network traffic sent by the control server to another host

  • ShutdownChannel: Closes a specific connection with a remote host

  • sendPong: Sends a custom packet with a specific byte when a packet with the last byte “4” is received (the ping). It is used by the control server to test network connectivity with the infected device.

  • setTimeOut: Sets a specific period during which the connection to a remote host is alive

  • newServer: Updates the configuration (AES encrypted in data.bin file inside the device) with a new control server

  • newReservServer: The same as newServer but with a backup control server

Based on our previous analysis, we conclude that NotCompatible is an unusual Android malware delivered to users using a drive-by attack that could represent a proof of concept for a targeted attack. The malware was designed to execute stealthy remote commands and act as a server proxy to redirect traffic through the device. This could be used to avoid the tracking of illicit acts by making the network traffic anonymous. Also, based on the network traffic similarities (commands, ports, strings), it is very possible that both the Android and PC malware belong to the same botnet. We will probably see more Android malware of this kind. McAfee Mobile Security detects this threat as Android/NotCompatible.A.

Orginal article: Tuesday, May 8, 2012 at 3:27pm by Fernando Ruiz 
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -


  • SCF Administrator
  • *****
  • Posts: 7516
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Re: Free protection for Android phone
« Reply #1 on: 16. May 2012., 22:46:15 »
Thanks for warning pal. :thumbsup:

By the way, all SCF visitors have possibility to choose Free protection for Android phones at "Mobile Phone Security" area:,28.0.html


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising