Feeds

Sexy Girls Puzzle: Android Trojan or eager ad-slinger?

Researchers split on Counterclank's naughtiness

Choosing a cloud hosting partner with confidence

Security researchers are split on the seriousness of an Android "malware" campaign that some estimates suggest may have "infected millions" of smartphones via gaming apps from Google's Android Market.

"Android.Counterclank" – a piece of code described by Symantec as a Trojan and by Lookout Mobile Security as part of "an aggressive form of ad network" – can be found in over 13 different mobile gaming apps – including Sexy Girls Puzzle and Counter Strike Ground Force – from three different publishers, according to Symantec. The security software biz said that legitimate games are sometimes repackaged with Trojan horse malware and uploaded to the Android Marketplace in order to infect users.

Kevin Haley, a director with Symantec's security response team, told Computerworld that the apps might have infected anywhere between one and five million users. However, Symantec's official write-up describes Counterclank as a low-risk threat that is easy to remove, hasn't spread very far and has probably only infected 1,000 smartphone users.

Both Symantec and rival Lookout acknowledge that Counterclank lifts information from the user's phone, which includes the browser settings and (in the case of some but not all games) SIM serial and IMEI numbers.

However, while Symantec classes Counterclank as a Trojan, Lookout disagrees.

"Some companies are calling this a botnet or malware. Lookout has some concerns about the functionality, however at this time, and as far as we can tell, it does not meet the standard to be classified as malware or a 'bot'," said Lookout. "Consumers should take these apps very seriously as they appear to tread on privacy lines, but they are not necessarily malicious."

Instead of describing the suspicious apps as Trojans, Lookout characterises Sexy Girls Puzzle and Counter Strike Ground Force as the fruit of a software development kit (SDK) for a mobile advertising network, identified as "Apperhand", and said it ought to be taken seriously.

"The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behaviour," a blog post by Lookout explains. "In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar."

"Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud. Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware," it added.

Lookout researchers wrote that the Apperhand SDK is similar to a previous mobile advertising SDK – ChoopCheec (AKA Plankton) – that "crossed several privacy lines in the data it collected about users" when it first appeared last year.

Even though Plankton has been modified since, it still does a number of things, such as "pushing" notification ads, dropping a search item on desktops or automatically adding bookmarks, that are liable to give more privacy-conscious mobile users the fear. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.