NotCompatible¶
TCP proxy trojan discovered by Lookout in May 2012. NotCompatible turned infected Android devices into network relay nodes for spam campaigns and ticket scalping operations. Its third variant (NotCompatible.C, 2014) introduced Conficker-level sophistication with encrypted peer-to-peer C2 communication, making it the longest-running and most technically advanced mobile botnet of its era.
Overview¶
| Property | Value |
|---|---|
| First Seen | May 2012 |
| Type | Proxy trojan / Botnet |
| Attribution | Unknown |
| Aliases | Backdoor.AndroidOS.NotCompatible (Kaspersky), Trojan-Proxy:Android/NotCompatible (F-Secure) |
Distribution¶
Drive-by download attacks via compromised websites containing hidden iframes. The malware appeared as "Update.apk" or "com.Security.Update". Later variants added spear-phishing email campaigns. Required manual installation.
Capabilities¶
| Capability | Implementation |
|---|---|
| TCP proxy | Turned infected devices into network relay nodes |
| Spam distribution | Relayed spam traffic through victim devices |
| Ticket scalping | Used proxied connections for automated ticket purchases |
| Enterprise threat | Could access corporate networks via device Wi-Fi |
Variant Evolution¶
| Variant | Year | Key Change |
|---|---|---|
| NotCompatible.A | 2012 | Basic TCP proxy, simple C2 |
| NotCompatible.B | 2013 | Intermediate improvements |
| NotCompatible.C | 2014 | Encrypted P2P C2, redundant infrastructure, self-protection (Conficker-level) |
The .C variant represented a significant leap in mobile botnet sophistication, with operational complexity comparable to the most advanced desktop botnets.