Symantec is reporting they found what they’re saying is the “highest distibution of any malware identified so far this year.” According to them, up to 5 million users are affected, but before everyone gets their panties in a bunch, they list the risk level as “very low,” not to mention this probably isn’t malware.
It’s called Android.Counterclank, and it can be found in the following applicatons:
|Publisher||Malicious App Title||Category|
|iApps7 Inc||Counter Elite Force||Arcade & Action|
|iApps7 Inc||Counter Strike Ground Force||Arcade & Action|
|iApps7 Inc||CounterStrike Hit Enemy||Arcade & Action|
|iApps7 Inc||Heart Live Wallpaper||Entertainment|
|iApps7 Inc||Hit Counter Terrorist||Arcade & Action|
|iApps7 Inc||Stripper Touch girl||Entertainment|
|Ogre Games||Balloon Game||Sports Games|
|Ogre Games||Deal & Be Millionaire||Sports Games|
|Ogre Games||Wild Man||Arcade & Action|
|redmicapps||Pretty women lingerie puzzle||Photography|
|redmicapps||Sexy Girls Photo Game||Lifestyle|
|redmicapps||Sexy Girls Puzzle||Brain & Puzzle|
|redmicapps||Sexy Women Puzzle||Brain & Puzzle|
The malicious code is grafted in a package called com.apperhand, which is found in each of the above apps. Upon installation the com.apperhand package could complete any of the below functions:
- Copy bookmarks on the device
- Copy opt out details
- Copy push notifications
- Copy shortcuts
- Identify the last executed command
- Modify the browser’s home page
- Steal build information (for example: brand, device, manufacturer, model, OS, etc.)
It may also try to connect to a couple of remote locations.
A major competitor, Lookout Mobile Security, a company we support here at TalkAndroid, say that this isn’t malware and is legitimate. The apperhand package is actually an aggressive advertising component, and part of a modified version of the “ChoopCheec” platform or “Plankton” SDK that caused a stir in June 2011. This newer version is cleaner, and Lookout said the following:
- It is capable of identifying the user uniquely by their IMEI number, for instance. But unlike some networks, this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data. (That’s a good thing.)
- The SDK has the capability to deliver Push Notification ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
- The SDK drops a search icon onto the desktop. Again, we consider bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe. In this case, it is simply a link to a search engine.
- The SDK also has the capability to push bookmarks to the browser. In our opinion, this is crosses a line; although we do not believe this is cause to classify the SDK as malware.
And finally Lookout said:
“Of the applications that were originally identified as malicious, a subset of them have subsequently been pulled from the Android Market. However, it’s important to note that this does not include all identified applications, and reasons for removal may also include content, copyright, or other violations of the Android Market’s Terms of Service.”
The story of Android security continues, and it simply creates great press. Is malware and trojans an issue for Android? I won’t say it isn’t, but there really hasn’t been any major catastrophes as some of these articles and posts would like you to believe. It’s the job of the security firms to make money, so putting a little extra fear into the public’s mindset isn’t a bad thing to them, but at the same time we have to educate ourselves by reading beyond the titles.