Android Counterclank: Malware, Or Smartphone Advertising?

Apperhand SDK drops a search icon onto the Android desktop

Mathew J. Schwartz, Contributor

January 30, 2012

4 Min Read

10 Companies Driving Mobile Security

10 Companies Driving Mobile Security

10 Companies Driving Mobile Security (click image for larger view and for slideshow)

Beware newly discovered malware that's been built into 13 apps that are sold on Google's official Android Market, which have been collectively downloaded up to 5 million times.

Dubbed Counterclank, or Android.Counterclank, the software has been built into such Android titles as Counter Strike Ground Force, Heart Live Wallpaper, Balloon Game, and Sexy Girls Puzzle. The apps are distributed by such publishers as iApps7, Ogre Games, and Tedmicapps.

Counterclank "is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device," said Irfan Asrar, a security response manager at Symantec, in a blog post.

[ Overgenerous permissions are a common problem. See Mobile Apps Quietly Steal Your Privacy. ]

Signs of infection include apps that have a package running that's called Apperhand, which is also the name of the software development kit (SDK) used to install Apperhand into apps. "When the package is executed, a service with the same name may be seen running on a compromised device," said Asrar. "Another sign of an infection is the presence of the search icon [a magnifying glass over a blue background] above on the home screen."

He said that, based on the number of times that the apps containing Counterclank have been downloaded, it's the most prevalent mobile malware seen so far in 2012.

But does Counterclank really count as malicious code, aka malware? "We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously," according to a blog post from mobile security vendor Lookout.

Apperhand resembles an SDK that appeared in multiple apps in June 2011, and which was known as "ChoopCheec platform" or "Plankton," according to Lookout. "Early incarnations of this SDK crossed several privacy lines in the data it collected about users, but the current version does appear to have cleaned up its act somewhat."

The malware-versus-adware question isn't just academic, since malware is designed for malicious purposes, such as stealing people's personal information, or making endpoints function as part of a botnet. Adware, on the other hand, is meant to fully disclose what it's doing. Furthermore, vendors that rely on adware distribution often argue that it enables users to use applications without having to purchase them. By those definitions, Counterclank seems to fall into the adware category.

Still, proceed carefully. "The average Android user probably doesn't want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior," said Lookout. "In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks."

Lookout warned that Apperhand has four capabilities--again, common to many types of adware--which may give Android smartphone app shoppers pause. Notably, the SDK can deliver push notifications containing advertising to devices, and identify a device's IMEI, or international mobile equipment identity number, although the SDK does hash that data to obscure it before transmitting it to the advertising network. In addition, apps with the SDK can push bookmarks to the Android browser, and create a search icon on the desktop that links to a search engine, both of which Lookout classifies as "bad form," but not malware.

Google did not immediately respond to an email asking whether apps containing Counterclank might violate its terms of service and be subject to removal from the Android Market.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights