The technological evolution of a malicious software dubbed "NotCompatible" has turned a once compelling piece of malware into one of the known longest-running mobile botnets - a prime example of how mobile malware complexity is advancing and is borrowing technical tactics already seen in PC malware. "NotCompatible" is a mobile malware campaign targetting Android users has hit between four million and 4.5 million Americans since January, according to an estimate by Lookout, a San Francisco mobile security company.

The latest variant of it, "NotCompatible.C", has set a new bar for mobile malware sophistication and operational complexity, according to the security researchers.
The command infrastructure and communication perseveres and self-protects through redundancy and encryption, making it elusive and enduring.

In order to protect its infrastructure, NotCompatible.C, employs a two-tiered server architecture. The gateway command and control (C2) server uses a load balancing approach, in which infected devices from different IP address regions are filtered and segmented geographically, and only authenticated clients are allowed to connect. Not only does this model bring client usage efficiency, Lookout's research suggests that it also aids in avoidance of discovery.

If an infected device validates with the gateway properly, it will receive a configuration file containing all active operational C2s, which, at last count, comprised more than ten separate and distinct servers located across Sweden, Poland, Netherlands, the U.K., and the U.S.

Once contact has been made with the operational C2, the infected device receives a list of other infected devices (i.e. "clients") to which the it can connect with and share intel.

This capability to allow a client to receive C2 connection orders through any number of clients creates a powerful redundancy — effectively a contingency plan — in the NotCompatible ecosystem and hardens itself against disruption.

In addition, all communications between the clients and C2s are encrypted. NotCompatible.C’s traffic will appear as binary data streams, unremarkable and indistinguishable from legitimate encrypted traffic such as SSL, SSH or, VPN traffic.

"NotCompatible is very likely a rent-a-botnet business that allows anyone to buy access for a variety of activities," Lookout said.

Lookout has tracked a few distinct malicious uses of NotCompatible.C, including spam campaigns (Live, Aol, Yahoo, Comcast); bulk ticket purchasing (Ticketmaster, Livenation, Eventshopper, Craigslist); bruteforce attacks (WordPress) and c99 shell control (observed logging into shells and performing different actions)

In order to gain new clients to add to this business, the NotCompatible.C operators use the same distribution methods as earlier variants — drive-by downloads through spam campaigns and compromised websites. One observed spam email just informs the user that they need to install a "security patch" in order to view an attached file.

To date, Lookout has not observed NotCompatible.C being used to target protected networks, though the proxy capability makes it a potential threat as well as a direct risk to network security. Howver, researchers believe that NotCompatible is already present on many corporate networks because they have observed, via Lookout’s userbase, hundreds of corporate networks with devices that have encountered NotCompatible.

How could this threat make its way into an organization? As soon as a device carrying NotCompatible.C is brought into an organization on a mobile device, it could provide the operators of this botnet with access to the organization’s network. Using the NotCompatible proxy, an attacker could potentially do anything from enumerating vulnerable hosts inside the network, to exploiting vulnerabilities and search for exposed data.

As with most malware discoveries, Lookout -- the company sounding the alarm -- is offering a mobile security application available for both Apple’s iOS and Android-powered smartphones, which is able to identify the Not Compatible malware and keep it from infecting Android devices that have downloaded the Lookout app.