It’s a new Android Trojan — or at least ‘aggressive advertising’
Jan 30, 2012 — by LinuxDevices Staff — from the LinuxDevices Archive — 4 viewsSymantec has warned of “a new Trojan horse” called Android.Counterclank, which attaches to applications in the Android Market and may be used to run malicious code on users' smartphones and tablets. Taking a slightly different view, Lookout Mobile Security says Counterclank is merely “an aggressive form of ad network” but nonethless “should be taken seriously.”
A nasty piece of malware called Android.Counterclank that Symantec said has the highest distribution of any malware this year to date is making the rounds on Android smartphones and tablet computers.
Symantec counts anywhere from one million to five million combined downloads of the malware, spanning 13 different application titles.
According to Symantec, Android.Counterclank is a variant of the Android.Tonclank Trojan horse. Like Tonclank, Counterclank steals information and may open a back door on Android smartphones and tablets for perpetrators to conduct other malicious actions.
However, Counterclank may also be exploited to download more files and display advertisements on mobile devices.
Android.Counterclank adds a search icon to a device's home screen
Source: Symantec
(Click to enlarge)
Android.Counterclank latches on to the main application in a package known as the "apperhand." When that package is run, a service with the same name may be seen running on a compromised device.
Users may also determine their device has been infected by Android.Counterclank if they see this search icon on the homescreen of their phone or tablet.
To provide users with a heads-up, Symantec has listed all 13 application publisher titles on the Android Market that are being used to push out Android.Counterclank.
The malicious apps, which range from games to entertainment apps starring scantily clad women, include: Counter Elite Force and CounterStrike Ground Force from iApps7 Inc.; Balloon Game and Wild Man from Ogre Games; and Sexy Girls Photo Game from redmicapps.
Symantec, no stranger to detecting Android malware, said in a corporate blog post that it is still investigating the malware and will keep people apprised of its findings.
Symantec's security team also detected the Android.Fakeneflic malware, a low-risk Trojan horse that flew under the radar thanks to Netflix's (NASDAQ:NFLX) staggered launch of its mobile application for Android handsets.
Symantec said late last year that despite the explosion in mobile malware in the last couple years, perpetrators are not yet seeing a lot of financial returns from compromised phones.
Just aggressive advertising?
In a Jan. 27 blog posting, Lookout Mobile Security offered an alternative view of Android.counterclank "We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously."
According to Lookout, the com.apperhand SDK has several capabilities that are common to many ad networks. The security firm listed these as follows:
- It is capable of identifying the user uniquely by their IMEI, for instance, but unlike some networks this SDK forward-hashes the IMEI before sending to its server. They're identifying your device, but they are obfuscating the raw data.
- The SDK has the capability to deliver "Push Notification" ads to the user. We're not huge fans of push notifications, but we also don't consider push notification advertising to be malware.
- The SDK drops a search icon onto the desktop. Again, we consider bad form, though we don't consider this a smoking gun for malware provided the content that is delivered is safe. In this case, it is simply a link to a search engine.
- The SDK also has the capability to push bookmarks to the browser. In our opinion, this crosses a line; although we do not believe this is cause to classify the SDK as malware.
Clint Boulton is a writer for eWEEK.
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.