Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Android NotCom malware resurfaces (with improvements)

Almost a year ago we reported the emergence of Android “NotCom” malware. Much of the malware was distributed in email links sent from compromised email accounts. What was notable then was the use of the same link to direct users to different destinations based on the visiting device. PC or iOS users were sent to a diet scam site while Android users were singled out with a malware download.

The method and the malware package “security.update.apk” have recently resurfaced. Once again non-Android users are sent to a diet scam page (touting garcinia cambogia).

Malware Analysis

This year’s version is very similar to the NotCom.A that spread a year ago but is more sophisticated, featuring encryption and a P2P function. Some vendors refer to the malware as Nioserv.

The malware creates a service that runs in the background called “”. Going through the code it seems like it creates a proxy and is then used as a P2P client. All the data that it sends out is encrypted. Our AV lab did a test to see how much data was being sent and received by the malware and it turns out quite a lot. There was no service that connects to the internet running on the phone except for the malware “” and after 15 minutes it had transmitted almost 1 mb of data – that’s 96 MB in 24 hours!

Then we opened a webpage that used 0.83 mb and the malware doubled that amount of data right away. So data usage could get very expensive for mobile Internet users. And of course all browsing is going through some proxy server.

The main address that the malware is connecting to is “″ which is a private IP address. This appears to be the P2P service of the malware. By sniffing the packages from “″ we saw lots of different addresses.

As a result of the encryption we can only speculate as to the purpose of the malware. It seems likely that it could steal device and user data and, as with last year’s, may be part of some Android botnet.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...