Symantec reports the largest Malware scare in the Android Market, Lookout Mobile Security says no way

Symantec is reporting they found what they’re saying is the “highest distibution of any malware identified so far this year.” According to them, up to 5 million users are affected, but before everyone gets their panties in a bunch, they list the risk level as “very low,” not to mention this probably isn’t malware.

It’s called Android.Counterclank, and it can be found in the following applicatons:


Publisher Malicious App Title Category
iApps7 Inc Counter Elite Force Arcade & Action
iApps7 Inc Counter Strike Ground Force Arcade & Action
iApps7 Inc CounterStrike Hit Enemy Arcade & Action
iApps7 Inc Heart Live Wallpaper Entertainment
iApps7 Inc Hit Counter Terrorist Arcade & Action
iApps7 Inc Stripper Touch girl Entertainment
Ogre Games Balloon Game Sports Games
Ogre Games Deal & Be Millionaire Sports Games
Ogre Games Wild Man Arcade & Action
redmicapps Pretty women lingerie puzzle Photography
redmicapps Sexy Girls Photo Game Lifestyle
redmicapps Sexy Girls Puzzle Brain & Puzzle
redmicapps Sexy Women Puzzle Brain & Puzzle

The malicious code is grafted in a package called com.apperhand, which is found in each of the above apps. Upon installation the com.apperhand package could complete any of the below functions:

  • Copy bookmarks on the device
  • Copy opt out details
  • Copy push notifications
  • Copy shortcuts
  • Identify the last executed command
  • Modify the browser’s home page
  • Steal build information (for example: brand, device, manufacturer, model, OS, etc.)

It may also try to connect to a couple of remote locations.

A major competitor, Lookout Mobile Security, a company we support here at TalkAndroid, say that this isn’t malware and is legitimate. The apperhand package is actually an aggressive advertising component, and part of a modified version of the “ChoopCheec” platform or “Plankton” SDK that caused a stir in June 2011. This newer version is cleaner, and Lookout said the following:

  • It is capable of identifying the user uniquely by their IMEI number, for instance. But unlike some networks, this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data. (That’s a good thing.)
  • The SDK has the capability to deliver Push Notification ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
  • The SDK drops a search icon onto the desktop. Again, we consider bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe.  In this case, it is simply a link to a search engine.
  • The SDK also has the capability to push bookmarks to the browser.  In our opinion, this is crosses a line; although we do not believe this is cause to classify the SDK as malware.

And finally Lookout said:

“Of the applications that were originally identified as malicious, a subset of them have subsequently been pulled from the Android Market. However, it’s important to note that this does not include all identified applications, and reasons for removal may also include content, copyright, or other violations of the Android Market’s Terms of Service.”

The story of Android security continues, and it simply creates great press. Is malware and trojans an issue for Android? I won’t say it isn’t, but there really hasn’t been any major catastrophes as some of these articles and posts would like you to believe. It’s the job of the security firms to make money, so putting a little extra fear into the public’s mindset isn’t a bad thing to them, but at the same time we have to educate ourselves by reading beyond the titles.

source: symantec, lookout
via: androidcentral

About the Author: Robert Nazarian

Robert lives in upstate New York where he was born and raised. Technology was always his passion. His first computer was a Radio Shack TRS80 Color that used a cassette tape to save programs, and his first laptop was a Toshiba T1200FB that sported a CGA greyscale screen and two 720kb floppy drives (no hardrive). From the early 90’s through late 2011, he only owned Motorola phones starting with the MircroTAC all the way through to the Droid X. He broke that streak when he bought the Galaxy Nexus. Now he's sporting a Galaxy Note 4, and absolutely loves it. He has a wonderful wife and a 6 year old son. In his free time he enjoys sports, movies, TV, working out, and trying to keep up with the rapid fast world of technology.

  • Joeschmoe2008

    Symantec has been in the news lately for their PC Checkup Tool being described as  “scareware”.  In connection to this, there were articles critical of Symantec regarding their PC Checkup Tool and those articles were unavailable to many who use the Norton DNS service.  

  • Scum

    Symantec blows

  • Patrick West

    Avast. Use it.

  • Someone

    As long as you stay in the market, you don’t need av. by the time the virus definitions are updated, google had already pulled the offending allocations.

  • sabrina D

    After the source code leak so many who used symantec are refusing to get their products!!!

  • Mark

    Symantec request it’s user’s to disable it’s anti-virus due to the hacking.