Android.Counterclank an Aggressive Mobile Ad Network, Not Malware: Lookout
Despite Symantec's warning to the contrary, Android.Counterclank is not malware, according to researchers at Lookout Mobile Security.
Android.Counterclank is a botlike threat that can receive commands from remote servers to carry out certain actions, as well as steal information from infected devices, Symantec researcher Irfan Asrar wrote on the company's Symantec Security Response blog Jan. 27.
The security firm estimated anywhere from 1 million to 5 million users had been infected by what it called malware via 13 different applications found on the official Android Market. Symantec described the Android.Counterclank code as a Trojan that is available "as an application package" from iApps7, Ogre Games and remicapps.
The claims were overblown, according to researchers at Lookout Mobile Security. Symantec identified a package, Apperhand, that was included in each of the 13 applications, as the offending code. When executed, a service of the same name runs on the device and a search icon is included on the home screen, Symantec said.
While the "average Android user" would probably not want Apperhand running on his or her device, there is "no evidence" of "outright malicious behavior" by Apperhand at this time, according to Lookout.
Malware is designed to engage in malicious behavior and can be used to steal personal information from the mobile device, according to Lookout. Apperhand doesn't do any of those things. The things Apperhand does, such as placing search icons on the home screen and pushing advertisements on to the notifications bar, are capabilities that can be found in similar "more aggressive" ad networks, Lookout said.
"We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously," Lookout said in its blog post.
Symantec said Apperhand was packaged in 13 applications on the Android Market, including games such as Counter Strike Ground Force, Balloon Game and Sexy Girls Puzzle. In an update posted Jan. 30, Symantec Security Response said that Apperhand found in Counterclank applications helps app developers monetize their applications using search.
The question over whether or not Counterclank is malware is similar to what happened when adware, spyware and "Potentially Unwanted Applications" first appeared on the Windows platform, Symantec said in its update. Many security tools initially did not detect the presence of these applications, but eventually, security companies began notifying users when these types of applications were detected on the system, according to Symantec.
The "combined behavior" of the applications, negative feedback from users who installed them and the fact that other apps using an earlier version of Apperhand were initially suspended from the Android Market led to Symantec's decision to issue the warning, the company said. Google declined to remove Counterclank apps from the Market because they complied with the Terms of Service, according to Symantec.
Lookout examines not just mobile apps, but software development kits that are commonly bundled with apps, according to Lookout's blog post. Researchers have been "focusing heavily" on the capabilities of mobile advertising SDKs and have found that some mobile advertising platforms "go beyond the commonly accepted behavior of ad networks with more aggressive tactics," researchers wrote.
Apperhand is similar to a previous advertising SDK that appeared in a number of apps, including the ChoopCheec platform and Plankton June 2012, according to Lookout. Early versions of that SDK "crossed several privacy lines" in the data it collected. But the latest version does not repeat those mistakes, Lookout said.
Apperhand sends a hash of unique device identifiers such as the IMEI value, and device information such as the brand, manufacturer, model and the Android version it is running, according to Symantec.
Apperhand has the capability to deliver "push notification" ads to the user's device. "We're not huge fans of push notifications, but we also don't consider push notification advertising to be malware," Lookout wrote in the blog post. The fact that it pushes bookmarks to the browser "crosses a line," but it's not enough to classify the package as malware, according to Lookout.
The search icon being added to the mobile desktop is "bad form" but still not malicious because it is just a link to a legitimate search engine delivering safe content, Lookout said.
"At this point, it appears that what we're seeing is an example of an ad network that pushes the lines of privacy," Lookout said, noting that there is a growing trend of this type of behavior.
Lookout is actively working on a mechanism that would allow users to understand whether applications have "potentially undesirable behavior" without creating "unnecessary worry," the company said.