Lookout Mobile Security takes Symantec to task for calling Counterclank malware, arguing that it's just an aggressive ad network. Symantec said users still need to be warned about adware.
Despite
Symantec's warning to the contrary, Android.Counterclank is not malware,
according to researchers at Lookout Mobile Security.
Android.Counterclank
is a botlike threat that can receive commands from remote servers to carry out
certain actions, as well as steal information from infected devices, Symantec
researcher Irfan Asrar wrote on the company's
Symantec Security Response blog Jan. 27.
The
security firm estimated anywhere from 1 million to 5 million users had been
infected by what it called malware via 13 different applications found on the
official Android Market. Symantec described the Android.Counterclank code as a
Trojan that is available "as an
application package" from iApps7, Ogre Games and remicapps.
The
claims were overblown, according to researchers at
Lookout Mobile Security. Symantec
identified a package, Apperhand, that was included in each of the 13
applications, as the offending code. When executed, a service of the same name
runs on the device and a search icon is included on the home screen, Symantec
said.
While
the "average Android user" would probably not want Apperhand running
on his or her device, there is "no evidence" of "outright
malicious behavior" by Apperhand at this time, according to Lookout.
Malware
is designed to engage in malicious behavior and can be used to steal personal
information from the mobile device, according to Lookout. Apperhand doesn't do
any of those things. The things Apperhand does, such as placing search icons on
the home screen and pushing advertisements on to the notifications bar, are capabilities
that can be found in similar "more aggressive" ad networks, Lookout
said.
"We
disagree with the assessment that this is malware, although we do believe that
the Apperhand SDK is an aggressive form of ad network and should be taken
seriously," Lookout said in its blog post.
Symantec
said Apperhand was packaged in 13 applications on the Android Market, including
games such as Counter Strike Ground Force, Balloon Game and Sexy Girls Puzzle.
In an update posted Jan. 30,
Symantec Security Response said that Apperhand
found in Counterclank applications helps app developers monetize their
applications using search.
The
question over whether or not Counterclank is malware is similar to what
happened when adware, spyware and "Potentially Unwanted Applications"
first appeared on the Windows platform, Symantec said in its update. Many
security tools initially did not detect the presence of these applications, but
eventually, security companies began notifying users when these types of
applications were detected on the system, according to Symantec.
The
"combined behavior" of the applications, negative feedback from users
who installed them and the fact that other apps using an earlier version of
Apperhand were initially suspended from the Android Market led to Symantec's
decision to issue the warning, the company said. Google declined to remove
Counterclank apps from the Market because they complied with the Terms of
Service, according to Symantec.
Lookout
examines not just mobile apps, but software development kits that are commonly
bundled with apps, according to Lookout's blog post. Researchers have been
"focusing heavily" on the capabilities of mobile advertising SDKs and
have found that some mobile advertising platforms "go beyond the commonly
accepted behavior of ad networks with more aggressive tactics,"
researchers wrote.
Apperhand
is similar to a previous advertising SDK that appeared in a number of apps,
including the ChoopCheec platform and Plankton June 2012, according to Lookout.
Early versions of that SDK "crossed several privacy lines" in the
data it collected. But the latest version does not repeat those mistakes,
Lookout said.
Apperhand
sends a hash of unique device identifiers such as the IMEI value, and device
information such as the brand, manufacturer, model and the Android version it
is running, according to Symantec.
Apperhand
has the capability to deliver "push notification" ads to the user's
device. "We're not huge fans of push notifications, but we also don't
consider push notification advertising to be malware," Lookout wrote in
the blog post. The fact that it pushes bookmarks to the browser "crosses a
line," but it's not enough to classify the package as malware, according
to Lookout.
The
search icon being added to the mobile desktop is "bad form" but still
not malicious because it is just a link to a legitimate search engine
delivering safe content, Lookout said.
"At
this point, it appears that what we're seeing is an example of an ad network
that pushes the lines of privacy," Lookout said, noting that there is a
growing trend of this type of behavior.
Lookout
is actively working on a mechanism that would allow users to understand whether
applications have "potentially undesirable behavior" without creating
"unnecessary worry," the company said.
Email
Print
