Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Android NotCom malware resurfaces (with improvements)

Almost a year ago we reported the emergence of Android “NotCom” malware. Much of the malware was distributed in email links sent from compromised email accounts. What was notable then was the use of the same link to direct users to different destinations based on the visiting device. PC or iOS users were sent to a diet scam site while Android users were singled out with a malware download.

The method and the malware package “security.update.apk” have recently resurfaced. Once again non-Android users are sent to a diet scam page (touting garcinia cambogia).

Malware Analysis

This year’s version is very similar to the NotCom.A that spread a year ago but is more sophisticated, featuring encryption and a P2P function. Some vendors refer to the malware as Nioserv.

The malware creates a service that runs in the background called “com.security.patch”. Going through the code it seems like it creates a proxy and is then used as a P2P client. All the data that it sends out is encrypted. Our AV lab did a test to see how much data was being sent and received by the malware and it turns out quite a lot. There was no service that connects to the internet running on the phone except for the malware “com.security.patch” and after 15 minutes it had transmitted almost 1 mb of data – that’s 96 MB in 24 hours!

Then we opened a webpage that used 0.83 mb and the malware doubled that amount of data right away. So data usage could get very expensive for mobile Internet users. And of course all browsing is going through some proxy server.

The main address that the malware is connecting to is “172.16.1.5″ which is a private IP address. This appears to be the P2P service of the malware. By sniffing the packages from “172.16.1.5″ we saw lots of different addresses.

As a result of the encryption we can only speculate as to the purpose of the malware. It seems likely that it could steal device and user data and, as with last year’s, may be part of some Android botnet.

You might also like

What is Microsoft Office 365 Advanced Threat Protection?

Office 365 Advanced Threat Protection (also known as ATP and Defender) can provide your organization with advanced security features - keeping you protected from cybersecurity threats. With today's cybersecurity landscape, where new threats appear daily, if not...