Android Central

The folks at Symantec have tipped everyone off about a new piece of Android Malware, calling Android.Counterclank "a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device."  They note that starting one of the apps "infected" with the apperhand SDK package will show a second service running, and often places a search icon on the home screen.  They have verified this is in 13 applications on the Android Market and are calling it "the highest distribution of any malware identified so far this year."  Some reports on the internet claim it may have affected 5 million users.  That's 5,000,000 -- a huge and scary number. And it makes for a great headline.

But it looks like Symantec might have jumped the gun a bit.

Lookout, a competitor in the Android security field, says that the applications are not malware, and the apperhand package actually is a legitimate, but aggressive, advertisement component.  It's part of an advertising software development kit that's a modified version of the "ChoopCheec" platform” or “Plankton” SDK that was the focus of some privacy concerns in June 2011.  This newer version is cleaner, but it still has capabilities common to many ad networks. Writes Lookout:

  • It is capable of identifying the user uniquely by their IMEI number, for instance. But unlike some networks, this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data. (That's a good thing.)
  • The SDK has the capability to deliver “Push Notification” ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
  • The SDK drops a search icon onto the desktop. Again, we consider bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe.  In this case, it is simply a link to a search engine.
  • The SDK also has the capability to push bookmarks to the browser.  In our opinion, this is crosses a line; although we do not believe this is cause to classify the SDK as malware.

We're not sure exactly how far is too far, but if the applications are using practices found in "many" other ad networks, we agree with Lookouts points listed here and have to call this one a non-issue when talking about malware.  On the issue of privacy and wanton sharing of user data, we're not loving it, but it's not malware.  

We're not security specialists, and we never claim to be.  We can tear applications apart and see what's hiding in there, but in-depth scanning and analysis is best left to the experts.  That being said, we are experts at catching bullshit, and this one reeks of it.  Nobody likes ads, but we can't just call them malware anytime we like.  They're a part of the ad-supported app model, and we should expect to see more than we like.  When they misbehave, call for someone's head, but not before.  

But that's not sensational.  Headlines like Computerworld's "Massive Android malware op may have infected 5 million users" cause controversy, and everyone loves a controversy.  Explaining that the 5 million mark is from adding the high end of the download counters, which allows for a 4 million-device margin of error, is conveniently forgotten.  And we'd like to think that if as many as 1 million devices on the low end had been infected, Google and the Android Market team would have said something.

The long and the short of it is, we're sleeping just fine tonight. Move along.

More: Symantec; Lookout

There are 43 comments

dethduck says:

A malware scare?
From an anti-malware company?

Say it ain't so.

"The SDK has the capability to deliver “Push Notification” ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware."

Well good for them! But I sure as hell do! It's spam that I didn't ask for, that shows up in a place where I don't want it - in the notification bar in this case. Imagine ads on your desktop popping up every half-hour, disturbing you from your work or entertainment?! It's aggressive spam, and in my book, it's malware.

So then stop being a cheap @ss and pony up for the ad free problem solved cheap ahole.

Developers need to make money somehow

I agree, developers should make money from their apps, but not by spamming your notification bar with ads! I have no problem with the ads "bar" that you see on the top or bottom of an app, but push-notifications is where I draw the line and call it what it is - malware! And I shouldn't have to pay for another app to get rid of that malware, it shouldn't have been there in the first place!

wraith404 says:

In app ads are not the same thing as anonymous ads SPAMMED into the notification bar. Most times that I've seen this tactic used there isn't even an app willing to take credit for it. Ads coming into your notification bar also often means something is running all the time, wasting your battery. It should be mandatory for the app name to be displayed in the notification bar with the ad. That way, the user can decide fairly if it is worth it. But no, most of the developers that resort to this tactic are craven little parasites.

P.S. Most of my apps are paid versions, but sometimes, there isn't a paid version, or you want to evaluate the work of some no name no rep developer before you hand over the coin, and 15 a minute return window is an insult.

icebike says:

That a guy who earns his living working for a site that lives or dies by selling advertising is not all that concerned by ads should come as no surprise.

Mrfitz says:

I've got to agree with somerussianguy on this. If this was on my desktop machine it would most certainly be classified as malware. Just because it's pushing ads and not sending out personal info doesn't mean it's not malware. There is a whole industry built around getting rid of crap like this. It affects the performance and user experience beyond the purpose of the original app that was installed.

aergern says:

If this was a desktop you'd have admin/root and could run a firewall an block the ad servers EASY .. with your handset unless you have root to use adfree + Droidwall ... your screwed. How about we revolt and MAKE the handset manufacturers GIVE us what we paid for .. our WHOLE device. They say we own the hardware well ... the kernel Android uses is OSS software and we should have access to it. If they want to protect their IP then DO NOT preinstall those bloatastic UI's and just ship us ASOP with an ability to install what we want.

Until you have root/admin .. you can not bitch. You get what you get.

rpankoe says:

I had the search icon randomly appear on my homescreen, so I guess I'm one of the millions!

meany105 says:

Me too! anyone know how to remove this stuff?

canesfan44 says:

Me too

js3141 says:

Just be thankful you had room for it on your homescreen or it probably would have moved/deleted a bunch of your existing icons to make room for it.

jimmycinla says:

Peggy from Symantec customer service wrote the initial article, with research help from Geller for sure.

enorth says:

Boy, I'd sure consider that malware. I've been using Lookout, but based on this I'm going to check out alternatives. I'm not comfortable with a security program that is comfortable with an uninvited app like this.

Uninvited? You downloaded the app...i dont agree with this sort of advertising but then again i dont run into it because i one, look at the.comments, sexond i buy all me apps so ads dont show. Stop being cheap and the problem is solved or just read the comments

Cubfan says:

Symantec jumps on gloom and doom... always. Sickening.

aergern says:

Of course they do. Why else would they be able to sell their malware if they don't cause a panic. They tried to do this on OS X when it became more popular ... it failed. They need revenue so what's the best target ... Android.

LaFlamme says:

If it's shoving bookmarks to the browser, putting junk on the home screen and pushing ads, I don't care how you define it, it's nasty. Symantec might have cried a little too loudly about the wolf in the woods, but I think the writer of this piece goes too far in the other direction. Move along? Not until this crap is off my phone.

david.landry says:

Humm, yes, I tend to agree as well that if this were on the desktop I'd consider it malware, but there are a number of Android apps that seem to put ads in my notification bar without explicit permission ... I immediately uninstall the offending application. I'm sure that the license agreement (which I never read) tells me they are going to do this, and if I had read it I probably wouldn't have installed the app in the first place, but as long as they are open about it, and removing the application also removes the ads, then I don't think it can be called 'malware' ... 'crapware' maybe would be a better name for it.

So if you have this issue (I don't, but in case I ever do) how do you get rid of it.

Will uninstalling the application that caused the problem clean up all the ads and bookmarks? If not, then it is definitely malware IMO.

js3141 says:

Of course not, you have to manually remove the bookmarks and icon spam yourself. Even worse, what do you think will happen if there isn't enough room on your main "desktop" screen for the spammed icons? Exactly, it will delete or move your existing stuff to make room for it. I hope you like spending an hour or so re-arranging everything back to the way it was.

UncleMike says:

Sensationalistic bullshit like this erodes the little credibility Android anti-malware vendors have, and bolsters the position of people who (like me) believe that caution and common sense are all most of us need to keep our Android devices safe. If they keep this up, when something finally does happen, nobody will pay any attention.

Have they ever hear the story of "the boy who cried wolf"?

DocFreud says:

Here is the list of apps in case anybody is interested.

Counter Elite Force
Counter Strike Ground Force
CounterStrike Hit Enemy
Heart Live Wallpaper
Hit Counter Terrorist
Stripper Touch girl
Balloon Game
Deal & Be Millionaire
Wild Man
Pretty women lingerie puzzle
Sexy Girls Photo Game
Sexy Girls Puzzle
Sexy Women Puzzle

rpankoe says:

I don't have any of those, but had the search icon appear.

canesfan44 says:

me too

lwesker says:

I dumped Lookout awhile back for being a bit too highbrow for the value in their app. Now I am glad. Too wussy of an attitude for something so aggressive. Allowing these apps to continue will only allow worse ones in the future. Maybe Symantec was too harsh, but no excuse for such lenient attitude either.

I am curious how my preferred Avast Mobile Security is treating this, but I don't want to download one of the bad apps just to find out.

Also get Addons Detector too. It will show the Push Advertising modules and what installed app is carrying it.

j0hn13y says:

i only use lookout for its locate feature, but i'm probably going to dump it too. the ram usage recently has skyrocketed to almost 100megs when its doing nothing!

lwesker says:

Avast Mobile Security has a better phone locate feature too. It does everything better than Lookout, and free for what Lookout charges monthly fee. IMHO.

Taz89 says:

i think i had this...some how my browser homepage was not google but some look alike...never found the search icon on the desktop and dont have any of the listed apps so dont know how it happened..just deleted browser data to be on the safe side

Timelessblur says:

Yes scare but at the same time I want to know any App that uses said software and I will refuse to even consider it. Push ads is the quickest way to get an App removed off my phone.

js3141 says:

And just how will you know which app is responsible? Are you planning on unpacking and decompiling every .apk to find out which ones have it?

Cellmeister says:


Sounds like an Apple Pay Out....

vicw926a4 says:

I don't want this kind of invasive action from any of the apps I use. It may not exactly rise to some precise definition of malware, but it might as well be, as far as I am concerned. Maybe Lookout should consider providing a range of security level settings to allow us to decide for ourselves what behaviors we want to tolerate.

niuguy says:

I like this article. I think its unwise to use the term "malware" too loosely.

That said, I have no problem with a site like AC warning users about advertising methods that people might feel are going too far.

My general opinion is that it isn't malware if I can easily uninstall it. If I can uninstall it, its just a shitty app and MUST DIE. :)

ak110707 says:

Im just happy to see the DInc...

McPlot says:

The Apple loving CNET will be all over this but will fail to mention it isn't actually malware, just crapware

jerrod6 says:

If this gets on my phone or on my desktop without my knowledge can I delete it from the homescreen by dragging to the trash can? Can I easily delete it from my phone? IF not... It's malware. I don't want this kind of stuff on my PC or phone!

robotaholic says:

Symantec makes freakin' Norton Antivirus. Did anybody see the news lately how a 'loophole' in their security suite accidentally served as a relay to create tons of spam and spread it all over the web? Does anybody really think this is an 'accident'? I for one think the big guns in the anti-virus sphere actively cause this crap as a racket to sell their lame shit. F Norton, F Lookout, and F McAfee too! I don't trust them one bit! I honestly think they prey on the slightly paranoid by inflating the dangers and then save the day by presenting their service.

ads says:

Well, it may not propogate like a virus, and Symantec may have overblown it, but what does it have to do before you DO call it malware. It sure is adware that is doing things no knowledgeable person would allow.



Symantec - At one time you where on top of the game. Now, you are but a large player in a fierce game. It is actions like this along with your bloatware slowing down pcs on Windows which keep me from using, loading to customers pc or even recommending your product to others.

wraith404 says:

Here's my opinion of push notification ads and malware. If the notification identifies the app that facilitated the ad, then it's fair game. It's also fair game for me to uninstall said app if I don't like it. If the notification does NOT identify the app, and just spills into a web browser if you select the notification, then it SHOULD be considered malware.

JakeChance says:

I agree with what most people have already said. It may not be officially considered malware and the headline might be trumped up, but it's certainly crapware. The devs are certainly crossing a line with push notification ads, dropping garbage onto home screens, and adding bookmarks.

Personally I would still say this stuff is "malicious" in nature but I also personally wouldn't keep an app around long enough if it did any of this.

jcapen87 says:

I'm very familiar with Android but not with the rules and regulations of developing for there a way that Google could mandate that developers not be able to do this or else risk their apps being banned from publication?

jcapen87 says:

There's a pretty simple solution to all this- research before you download. Pay attention to user reviews. Use forums like this to see if anyone else is having problems with the said app.

You don't need Symantec, Norton, Lookout, etc etc to hold your hand.