Skip to main content

Latest Android Malware scare might be premature

The folks at Symantec have tipped everyone off about a new piece of Android Malware, calling Android.Counterclank "a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device."  They note that starting one of the apps "infected" with the apperhand SDK package will show a second service running, and often places a search icon on the home screen.  They have verified this is in 13 applications on the Android Market and are calling it "the highest distribution of any malware identified so far this year."  Some reports on the internet claim it may have affected 5 million users.  That's 5,000,000 -- a huge and scary number. And it makes for a great headline.

But it looks like Symantec might have jumped the gun a bit.

Lookout, a competitor in the Android security field, says that the applications are not malware, and the apperhand package actually is a legitimate, but aggressive, advertisement component.  It's part of an advertising software development kit that's a modified version of the "ChoopCheec" platform” or “Plankton” SDK that was the focus of some privacy concerns in June 2011.  This newer version is cleaner, but it still has capabilities common to many ad networks. Writes Lookout:

  • It is capable of identifying the user uniquely by their IMEI number, for instance. But unlike some networks, this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data. (That's a good thing.)
  • The SDK has the capability to deliver “Push Notification” ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
  • The SDK drops a search icon onto the desktop. Again, we consider bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe.  In this case, it is simply a link to a search engine.
  • The SDK also has the capability to push bookmarks to the browser.  In our opinion, this is crosses a line; although we do not believe this is cause to classify the SDK as malware.

We're not sure exactly how far is too far, but if the applications are using practices found in "many" other ad networks, we agree with Lookouts points listed here and have to call this one a non-issue when talking about malware.  On the issue of privacy and wanton sharing of user data, we're not loving it, but it's not malware.  

We're not security specialists, and we never claim to be.  We can tear applications apart and see what's hiding in there, but in-depth scanning and analysis is best left to the experts.  That being said, we are experts at catching bullshit, and this one reeks of it.  Nobody likes ads, but we can't just call them malware anytime we like.  They're a part of the ad-supported app model, and we should expect to see more than we like.  When they misbehave, call for someone's head, but not before.  

But that's not sensational.  Headlines like Computerworld's "Massive Android malware op may have infected 5 million users" cause controversy, and everyone loves a controversy.  Explaining that the 5 million mark is from adding the high end of the download counters, which allows for a 4 million-device margin of error, is conveniently forgotten.  And we'd like to think that if as many as 1 million devices on the low end had been infected, Google and the Android Market team would have said something.

The long and the short of it is, we're sleeping just fine tonight. Move along.

More: Symantec (opens in new tab); Lookout

Have you listened to this week's Android Central Podcast?

Android Central

Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.

  • Subscribe in Pocket Casts: Audio
  • Subscribe in Spotify: Audio
  • Subscribe in iTunes: Audio (opens in new tab)
Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • A malware scare?
    From an anti-malware company?
    Premature? Noooooo...
    Say it ain't so.
  • "The SDK has the capability to deliver “Push Notification” ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware." Well good for them! But I sure as hell do! It's spam that I didn't ask for, that shows up in a place where I don't want it - in the notification bar in this case. Imagine ads on your desktop popping up every half-hour, disturbing you from your work or entertainment?! It's aggressive spam, and in my book, it's malware.
  • So then stop being a cheap @ss and pony up for the ad free problem solved cheap ahole. Developers need to make money somehow
  • I agree, developers should make money from their apps, but not by spamming your notification bar with ads! I have no problem with the ads "bar" that you see on the top or bottom of an app, but push-notifications is where I draw the line and call it what it is - malware! And I shouldn't have to pay for another app to get rid of that malware, it shouldn't have been there in the first place!
  • In app ads are not the same thing as anonymous ads SPAMMED into the notification bar. Most times that I've seen this tactic used there isn't even an app willing to take credit for it. Ads coming into your notification bar also often means something is running all the time, wasting your battery. It should be mandatory for the app name to be displayed in the notification bar with the ad. That way, the user can decide fairly if it is worth it. But no, most of the developers that resort to this tactic are craven little parasites. P.S. Most of my apps are paid versions, but sometimes, there isn't a paid version, or you want to evaluate the work of some no name no rep developer before you hand over the coin, and 15 a minute return window is an insult.
  • That a guy who earns his living working for a site that lives or dies by selling advertising is not all that concerned by ads should come as no surprise.
  • I've got to agree with somerussianguy on this. If this was on my desktop machine it would most certainly be classified as malware. Just because it's pushing ads and not sending out personal info doesn't mean it's not malware. There is a whole industry built around getting rid of crap like this. It affects the performance and user experience beyond the purpose of the original app that was installed.
  • If this was a desktop you'd have admin/root and could run a firewall an block the ad servers EASY .. with your handset unless you have root to use adfree + Droidwall ... your screwed. How about we revolt and MAKE the handset manufacturers GIVE us what we paid for .. our WHOLE device. They say we own the hardware well ... the kernel Android uses is OSS software and we should have access to it. If they want to protect their IP then DO NOT preinstall those bloatastic UI's and just ship us ASOP with an ability to install what we want. Until you have root/admin .. you can not bitch. You get what you get.
  • I had the search icon randomly appear on my homescreen, so I guess I'm one of the millions!
  • Me too! anyone know how to remove this stuff?
  • Me too
  • Just be thankful you had room for it on your homescreen or it probably would have moved/deleted a bunch of your existing icons to make room for it.
  • Peggy from Symantec customer service wrote the initial article, with research help from Geller for sure.
  • Boy, I'd sure consider that malware. I've been using Lookout, but based on this I'm going to check out alternatives. I'm not comfortable with a security program that is comfortable with an uninvited app like this.
  • Uninvited? You downloaded the app...i dont agree with this sort of advertising but then again i dont run into it because i one, look at the.comments, sexond i buy all me apps so ads dont show. Stop being cheap and the problem is solved or just read the comments
  • Symantec jumps on gloom and doom... always. Sickening.
  • Of course they do. Why else would they be able to sell their malware if they don't cause a panic. They tried to do this on OS X when it became more popular ... it failed. They need revenue so what's the best target ... Android.
  • If it's shoving bookmarks to the browser, putting junk on the home screen and pushing ads, I don't care how you define it, it's nasty. Symantec might have cried a little too loudly about the wolf in the woods, but I think the writer of this piece goes too far in the other direction. Move along? Not until this crap is off my phone.
  • Humm, yes, I tend to agree as well that if this were on the desktop I'd consider it malware, but there are a number of Android apps that seem to put ads in my notification bar without explicit permission ... I immediately uninstall the offending application. I'm sure that the license agreement (which I never read) tells me they are going to do this, and if I had read it I probably wouldn't have installed the app in the first place, but as long as they are open about it, and removing the application also removes the ads, then I don't think it can be called 'malware' ... 'crapware' maybe would be a better name for it. So if you have this issue (I don't, but in case I ever do) how do you get rid of it. Will uninstalling the application that caused the problem clean up all the ads and bookmarks? If not, then it is definitely malware IMO.
  • Of course not, you have to manually remove the bookmarks and icon spam yourself. Even worse, what do you think will happen if there isn't enough room on your main "desktop" screen for the spammed icons? Exactly, it will delete or move your existing stuff to make room for it. I hope you like spending an hour or so re-arranging everything back to the way it was.
  • Sensationalistic bullshit like this erodes the little credibility Android anti-malware vendors have, and bolsters the position of people who (like me) believe that caution and common sense are all most of us need to keep our Android devices safe. If they keep this up, when something finally does happen, nobody will pay any attention. Have they ever hear the story of "the boy who cried wolf"?
  • Here is the list of apps in case anybody is interested. Counter Elite Force
    Counter Strike Ground Force
    CounterStrike Hit Enemy
    Heart Live Wallpaper
    Hit Counter Terrorist
    Stripper Touch girl
    Balloon Game
    Deal & Be Millionaire
    Wild Man
    Pretty women lingerie puzzle
    Sexy Girls Photo Game
    Sexy Girls Puzzle
    Sexy Women Puzzle
  • I don't have any of those, but had the search icon appear.
  • me too
  • I dumped Lookout awhile back for being a bit too highbrow for the value in their app. Now I am glad. Too wussy of an attitude for something so aggressive. Allowing these apps to continue will only allow worse ones in the future. Maybe Symantec was too harsh, but no excuse for such lenient attitude either. I am curious how my preferred Avast Mobile Security is treating this, but I don't want to download one of the bad apps just to find out. Also get Addons Detector too. It will show the Push Advertising modules and what installed app is carrying it.
  • i only use lookout for its locate feature, but i'm probably going to dump it too. the ram usage recently has skyrocketed to almost 100megs when its doing nothing!
  • Avast Mobile Security has a better phone locate feature too. It does everything better than Lookout, and free for what Lookout charges monthly fee. IMHO.
  • i think i had this...some how my browser homepage was not google but some look alike...never found the search icon on the desktop and dont have any of the listed apps so dont know how it happened..just deleted browser data to be on the safe side
  • Yes scare but at the same time I want to know any App that uses said software and I will refuse to even consider it. Push ads is the quickest way to get an App removed off my phone.
  • And just how will you know which app is responsible? Are you planning on unpacking and decompiling every .apk to find out which ones have it?
  • LOL! Sounds like an Apple Pay Out....
  • I don't want this kind of invasive action from any of the apps I use. It may not exactly rise to some precise definition of malware, but it might as well be, as far as I am concerned. Maybe Lookout should consider providing a range of security level settings to allow us to decide for ourselves what behaviors we want to tolerate.
  • I like this article. I think its unwise to use the term "malware" too loosely. That said, I have no problem with a site like AC warning users about advertising methods that people might feel are going too far. My general opinion is that it isn't malware if I can easily uninstall it. If I can uninstall it, its just a shitty app and MUST DIE. :)
  • Im just happy to see the DInc...
  • The Apple loving CNET will be all over this but will fail to mention it isn't actually malware, just crapware
  • If this gets on my phone or on my desktop without my knowledge can I delete it from the homescreen by dragging to the trash can? Can I easily delete it from my phone? IF not... It's malware. I don't want this kind of stuff on my PC or phone!
  • Symantec makes freakin' Norton Antivirus. Did anybody see the news lately how a 'loophole' in their security suite accidentally served as a relay to create tons of spam and spread it all over the web? Does anybody really think this is an 'accident'? I for one think the big guns in the anti-virus sphere actively cause this crap as a racket to sell their lame shit. F Norton, F Lookout, and F McAfee too! I don't trust them one bit! I honestly think they prey on the slightly paranoid by inflating the dangers and then save the day by presenting their service.
  • Well, it may not propogate like a virus, and Symantec may have overblown it, but what does it have to do before you DO call it malware. It sure is adware that is doing things no knowledgeable person would allow. ADS
  • Symantec - At one time you where on top of the game. Now, you are but a large player in a fierce game. It is actions like this along with your bloatware slowing down pcs on Windows which keep me from using, loading to customers pc or even recommending your product to others.
  • Here's my opinion of push notification ads and malware. If the notification identifies the app that facilitated the ad, then it's fair game. It's also fair game for me to uninstall said app if I don't like it. If the notification does NOT identify the app, and just spills into a web browser if you select the notification, then it SHOULD be considered malware.
  • I agree with what most people have already said. It may not be officially considered malware and the headline might be trumped up, but it's certainly crapware. The devs are certainly crossing a line with push notification ads, dropping garbage onto home screens, and adding bookmarks. Personally I would still say this stuff is "malicious" in nature but I also personally wouldn't keep an app around long enough if it did any of this.
  • I'm very familiar with Android but not with the rules and regulations of developing for there a way that Google could mandate that developers not be able to do this or else risk their apps being banned from publication?
  • There's a pretty simple solution to all this- research before you download. Pay attention to user reviews. Use forums like this to see if anyone else is having problems with the said app. You don't need Symantec, Norton, Lookout, etc etc to hold your hand.