Sexy Girls Puzzle: Android Trojan or eager ad-slinger?
Researchers split on Counterclank's naughtiness
Security researchers are split on the seriousness of an Android "malware" campaign that some estimates suggest may have "infected millions" of smartphones via gaming apps from Google's Android Market.
"Android.Counterclank" – a piece of code described by Symantec as a Trojan and by Lookout Mobile Security as part of "an aggressive form of ad network" – can be found in over 13 different mobile gaming apps – including Sexy Girls Puzzle and Counter Strike Ground Force – from three different publishers, according to Symantec. The security software biz said that legitimate games are sometimes repackaged with Trojan horse malware and uploaded to the Android Marketplace in order to infect users.
Kevin Haley, a director with Symantec's security response team, told Computerworld that the apps might have infected anywhere between one and five million users. However, Symantec's official write-up describes Counterclank as a low-risk threat that is easy to remove, hasn't spread very far and has probably only infected 1,000 smartphone users.
Both Symantec and rival Lookout acknowledge that Counterclank lifts information from the user's phone, which includes the browser settings and (in the case of some but not all games) SIM serial and IMEI numbers.
However, while Symantec classes Counterclank as a Trojan, Lookout disagrees.
"Some companies are calling this a botnet or malware. Lookout has some concerns about the functionality, however at this time, and as far as we can tell, it does not meet the standard to be classified as malware or a 'bot'," said Lookout. "Consumers should take these apps very seriously as they appear to tread on privacy lines, but they are not necessarily malicious."
Instead of describing the suspicious apps as Trojans, Lookout characterises Sexy Girls Puzzle and Counter Strike Ground Force as the fruit of a software development kit (SDK) for a mobile advertising network, identified as "Apperhand", and said it ought to be taken seriously.
"The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behaviour," a blog post by Lookout explains. "In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar."
"Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud. Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware," it added.
Lookout researchers wrote that the Apperhand SDK is similar to a previous mobile advertising SDK – ChoopCheec (AKA Plankton) – that "crossed several privacy lines in the data it collected about users" when it first appeared last year.
Even though Plankton has been modified since, it still does a number of things, such as "pushing" notification ads, dropping a search item on desktops or automatically adding bookmarks, that are liable to give more privacy-conscious mobile users the fear. ®