Android Counterclank: Malware, Or Smartphone Advertising? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Android Counterclank: Malware, Or Smartphone Advertising?

Apperhand SDK drops a search icon onto the Android desktop and tracks your device's ID, but so does any adware. Here's what you need to know.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Beware newly discovered malware that's been built into 13 apps that are sold on Google's official Android Market, which have been collectively downloaded up to 5 million times.

Dubbed Counterclank, or Android.Counterclank, the software has been built into such Android titles as Counter Strike Ground Force, Heart Live Wallpaper, Balloon Game, and Sexy Girls Puzzle. The apps are distributed by such publishers as iApps7, Ogre Games, and Tedmicapps.

Counterclank "is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device," said Irfan Asrar, a security response manager at Symantec, in a blog post.

[ Overgenerous permissions are a common problem. See Mobile Apps Quietly Steal Your Privacy. ]

Signs of infection include apps that have a package running that's called Apperhand, which is also the name of the software development kit (SDK) used to install Apperhand into apps. "When the package is executed, a service with the same name may be seen running on a compromised device," said Asrar. "Another sign of an infection is the presence of the search icon [a magnifying glass over a blue background] above on the home screen."

He said that, based on the number of times that the apps containing Counterclank have been downloaded, it's the most prevalent mobile malware seen so far in 2012.

But does Counterclank really count as malicious code, aka malware? "We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously," according to a blog post from mobile security vendor Lookout.

Apperhand resembles an SDK that appeared in multiple apps in June 2011, and which was known as "ChoopCheec platform" or "Plankton," according to Lookout. "Early incarnations of this SDK crossed several privacy lines in the data it collected about users, but the current version does appear to have cleaned up its act somewhat."

The malware-versus-adware question isn't just academic, since malware is designed for malicious purposes, such as stealing people's personal information, or making endpoints function as part of a botnet. Adware, on the other hand, is meant to fully disclose what it's doing. Furthermore, vendors that rely on adware distribution often argue that it enables users to use applications without having to purchase them. By those definitions, Counterclank seems to fall into the adware category.

Still, proceed carefully. "The average Android user probably doesn't want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior," said Lookout. "In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks."

Lookout warned that Apperhand has four capabilities--again, common to many types of adware--which may give Android smartphone app shoppers pause. Notably, the SDK can deliver push notifications containing advertising to devices, and identify a device's IMEI, or international mobile equipment identity number, although the SDK does hash that data to obscure it before transmitting it to the advertising network. In addition, apps with the SDK can push bookmarks to the Android browser, and create a search icon on the desktop that links to a search engine, both of which Lookout classifies as "bad form," but not malware.

Google did not immediately respond to an email asking whether apps containing Counterclank might violate its terms of service and be subject to removal from the Android Market.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
News
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Commentary
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Video
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll