11:56 AM
Connect Directly

Android Counterclank: Malware, Or Smartphone Advertising?

Apperhand SDK drops a search icon onto the Android desktop and tracks your device's ID, but so does any adware. Here's what you need to know.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Beware newly discovered malware that's been built into 13 apps that are sold on Google's official Android Market, which have been collectively downloaded up to 5 million times.

Dubbed Counterclank, or Android.Counterclank, the software has been built into such Android titles as Counter Strike Ground Force, Heart Live Wallpaper, Balloon Game, and Sexy Girls Puzzle. The apps are distributed by such publishers as iApps7, Ogre Games, and Tedmicapps.

Counterclank "is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device," said Irfan Asrar, a security response manager at Symantec, in a blog post.

[ Overgenerous permissions are a common problem. See Mobile Apps Quietly Steal Your Privacy. ]

Signs of infection include apps that have a package running that's called Apperhand, which is also the name of the software development kit (SDK) used to install Apperhand into apps. "When the package is executed, a service with the same name may be seen running on a compromised device," said Asrar. "Another sign of an infection is the presence of the search icon [a magnifying glass over a blue background] above on the home screen."

He said that, based on the number of times that the apps containing Counterclank have been downloaded, it's the most prevalent mobile malware seen so far in 2012.

But does Counterclank really count as malicious code, aka malware? "We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously," according to a blog post from mobile security vendor Lookout.

Apperhand resembles an SDK that appeared in multiple apps in June 2011, and which was known as "ChoopCheec platform" or "Plankton," according to Lookout. "Early incarnations of this SDK crossed several privacy lines in the data it collected about users, but the current version does appear to have cleaned up its act somewhat."

The malware-versus-adware question isn't just academic, since malware is designed for malicious purposes, such as stealing people's personal information, or making endpoints function as part of a botnet. Adware, on the other hand, is meant to fully disclose what it's doing. Furthermore, vendors that rely on adware distribution often argue that it enables users to use applications without having to purchase them. By those definitions, Counterclank seems to fall into the adware category.

Still, proceed carefully. "The average Android user probably doesn't want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior," said Lookout. "In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks."

Lookout warned that Apperhand has four capabilities--again, common to many types of adware--which may give Android smartphone app shoppers pause. Notably, the SDK can deliver push notifications containing advertising to devices, and identify a device's IMEI, or international mobile equipment identity number, although the SDK does hash that data to obscure it before transmitting it to the advertising network. In addition, apps with the SDK can push bookmarks to the Android browser, and create a search icon on the desktop that links to a search engine, both of which Lookout classifies as "bad form," but not malware.

Google did not immediately respond to an email asking whether apps containing Counterclank might violate its terms of service and be subject to removal from the Android Market.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/31/2012 | 7:50:45 PM
re: Android Counterclank: Malware, Or Smartphone Advertising?
Sounds like some kind of app "sandbox" ... but with more straw, maybe a few animals, a couple wise men, and a virgin, if you're lucky. ;-)
Tom LaSusa
Tom LaSusa,
User Rank: Apprentice
1/31/2012 | 4:21:58 PM
re: Android Counterclank: Malware, Or Smartphone Advertising?
Great article, Matt!

Tom LaSusa
User Rank: Apprentice
1/31/2012 | 12:03:22 AM
re: Android Counterclank: Malware, Or Smartphone Advertising?
Sounds like it could be more annoying than malicious, but either way it's good for users to know about it.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
1/30/2012 | 7:11:58 PM
re: Android Counterclank: Malware, Or Smartphone Advertising?
Could someone please tell me what a security response "MANGER" at Symantec is?

How does and editor keep their job with mistakes like this? Just saying.
User Rank: Apprentice
1/30/2012 | 5:58:06 PM
re: Android Counterclank: Malware, Or Smartphone Advertising?
Symantec, the world-famous scareware vendor, does not have any credibility when warning about malware. They make their money by frightening people into buying their overpriced and ineffective security software.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.