The folks at Symantec have tipped everyone off about a new piece of Android Malware, calling Android.Counterclank "a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device." They note that starting one of the apps "infected" with the apperhand SDK package will show a second service running, and often places a search icon on the home screen. They have verified this is in 13 applications on the Android Market and are calling it "the highest distribution of any malware identified so far this year." Some reports on the internet claim it may have affected 5 million users. That's 5,000,000 -- a huge and scary number. And it makes for a great headline.
But it looks like Symantec might have jumped the gun a bit.
Lookout, a competitor in the Android security field, says that the applications are not malware, and the apperhand package actually is a legitimate, but aggressive, advertisement component. It's part of an advertising software development kit that's a modified version of the "ChoopCheec" platform” or “Plankton” SDK that was the focus of some privacy concerns in June 2011. This newer version is cleaner, but it still has capabilities common to many ad networks. Writes Lookout:
It is capable of identifying the user uniquely by their IMEI number, for instance. But unlike some networks, this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data. (That's a good thing.)
The SDK has the capability to deliver “Push Notification” ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
The SDK drops a search icon onto the desktop. Again, we consider bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe. In this case, it is simply a link to a search engine.
The SDK also has the capability to push bookmarks to the browser. In our opinion, this is crosses a line; although we do not believe this is cause to classify the SDK as malware.
We're not sure exactly how far is too far, but if the applications are using practices found in "many" other ad networks, we agree with Lookouts points listed here and have to call this one a non-issue when talking about malware. On the issue of privacy and wanton sharing of user data, we're not loving it, but it's not malware.
We're not security specialists, and we never claim to be. We can tear applications apart and see what's hiding in there, but in-depth scanning and analysis is best left to the experts. That being said, we are experts at catching bullshit, and this one reeks of it. Nobody likes ads, but we can't just call them malware anytime we like. They're a part of the ad-supported app model, and we should expect to see more than we like. When they misbehave, call for someone's head, but not before.
But that's not sensational. Headlines like Computerworld's "Massive Android malware op may have infected 5 million users" cause controversy, and everyone loves a controversy. Explaining that the 5 million mark is from adding the high end of the download counters, which allows for a 4 million-device margin of error, is conveniently forgotten. And we'd like to think that if as many as 1 million devices on the low end had been infected, Google and the Android Market team would have said something.
The long and the short of it is, we're sleeping just fine tonight. Move along.
More: Symantec; Lookout