Antivirus vendor Symantec announced recently that up to 5 million Android devices may have been infected with a particular type of malware.
Multiple publishers were pushing out apps — some of which were found in the official Android Market — containing malware known as “Counterclank,” according to the AV company.
This is a minor modification of Android Tonclank, a bot-like threat that can receive commands to carry out certain actions as well as steal information from the device.
The malicious code Symantec detected had been grafted onto the main app through a package called “Apperhand,” the company said. When the package is executed, a service, also called “Apperhand,” may be seen running on an infected device.
Further, an unwanted search icon might show up on the infected device’s screen, Symantec said.
Malware? Que Malware?
However, security experts from other organizations said the infected apps weren’t carrying malware but adware.
“We’re 100 percent certain that Apperhand isn’t malware; it’s just a form of an ad network,” Tim Wyatt, principal engineer at Lookout Mobile Security, told LinuxInsider.
“I’d call it a ‘Pup,'” Dave Marcus, director of security research and communications at McAfee Labs, told LinuxInsider. PuP refers to a potentially unwanted program.
“Until some more information surfaces that this is malware, I’d say there’s no need to be concerned,” suggested Roger Thompson, chief emerging threats researcher at ICSA Labs.
Why the Malware Fears Were Sparked
Android Counterclank has the highest distribution of any malware identified so far this year, Symantec stated.
Publishers whose apps apparently contained Apperhand include iApps7, Ogre Games, and redmicapps. Affected apps include “Sexy Women Puzzle,” “Deal & Be Millionaire,” “Stripper Touch Girl,” “Counter Elite Force” and “Hit Counter Terrorist.”
The skyrocketing popularity of Android devices has exacerbated concerns among AV vendors that a flood of Android malware is on its way this year.
Android is more vulnerable than the iPhone or BlackBerry for three reasons, ICSA’s Thompson told LinuxInsider.
First, you can download Android apps from any website, he said. Second, it is “very easy to Trojanize” an Android app compared an iOS app, which “would require significant reverse engineering first,” Thompson said. Third, the development platform “is cheap and well-understood.”
Adware, Malware – What’s the Difference?
The Apperhand SDK in Android Counterclank can identify users uniquely by their International Mobile Equipment Identity (IMEI) number, Lookout said. It can also deliver push notification ads and bookmarks to browsers, and drop search icons on the screen.
Although apps containing Apperhand are not necessarily malicious, “we think aggressive adware pushes the privacy bounds and people have a right to not want apps like this on their devices,” Lookout’s Wyatt said.
“Who will decide where the thin line between legitimate apps and adware or spyware should be?” asked Jakob Ehrensvard, chief technology officer at Yubico.
Further, the question of whose responsibility it will be “if the user accepts a … legal document by simply clicking ‘OK’ and then later finds out that he has accepted being monitored” needs to be clarified, Ehrensvard told LinuxInsider.
Sniffing Out the Unwanted Ads
“Some vendors have added detection for [Apperhand], but others are still trying to make up their minds,” ICSA Labs’ Thompson suggested. “It’s simply not an easy decision. Symantec initially saw it one way, and they may change their minds.”
Indeed, that’s just what might happen.
“We are continuing our analysis of this issue and expect additional information shortly,” Eric Chien, director of Symantec Security Response, told LinuxInsider.
The emergence of aggressive adware may spur antivirus vendors to action.
“For years, security companies did not detect adware or greyware in the PC space, and it became a nuisance,” Chien remarked. “Eventually security companies did address this space to the benefit of computer users.”
Google did not respond to our request for comment.