Feeds

Sexy Girls Puzzle: Android Trojan or eager ad-slinger?

Researchers split on Counterclank's naughtiness

Beginner's guide to SSL certificates

Security researchers are split on the seriousness of an Android "malware" campaign that some estimates suggest may have "infected millions" of smartphones via gaming apps from Google's Android Market.

"Android.Counterclank" – a piece of code described by Symantec as a Trojan and by Lookout Mobile Security as part of "an aggressive form of ad network" – can be found in over 13 different mobile gaming apps – including Sexy Girls Puzzle and Counter Strike Ground Force – from three different publishers, according to Symantec. The security software biz said that legitimate games are sometimes repackaged with Trojan horse malware and uploaded to the Android Marketplace in order to infect users.

Kevin Haley, a director with Symantec's security response team, told Computerworld that the apps might have infected anywhere between one and five million users. However, Symantec's official write-up describes Counterclank as a low-risk threat that is easy to remove, hasn't spread very far and has probably only infected 1,000 smartphone users.

Both Symantec and rival Lookout acknowledge that Counterclank lifts information from the user's phone, which includes the browser settings and (in the case of some but not all games) SIM serial and IMEI numbers.

However, while Symantec classes Counterclank as a Trojan, Lookout disagrees.

"Some companies are calling this a botnet or malware. Lookout has some concerns about the functionality, however at this time, and as far as we can tell, it does not meet the standard to be classified as malware or a 'bot'," said Lookout. "Consumers should take these apps very seriously as they appear to tread on privacy lines, but they are not necessarily malicious."

Instead of describing the suspicious apps as Trojans, Lookout characterises Sexy Girls Puzzle and Counter Strike Ground Force as the fruit of a software development kit (SDK) for a mobile advertising network, identified as "Apperhand", and said it ought to be taken seriously.

"The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behaviour," a blog post by Lookout explains. "In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar."

"Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud. Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware," it added.

Lookout researchers wrote that the Apperhand SDK is similar to a previous mobile advertising SDK – ChoopCheec (AKA Plankton) – that "crossed several privacy lines in the data it collected about users" when it first appeared last year.

Even though Plankton has been modified since, it still does a number of things, such as "pushing" notification ads, dropping a search item on desktops or automatically adding bookmarks, that are liable to give more privacy-conscious mobile users the fear. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.