New Android malware? Or just an ad network?

Symantec CounterClank diagram

Security firm Symantec raised eyebrows last week with a security notice about software it has dubbed Android.Counterclank, malware that the company claims can be found in over a dozen apps in the official Android market that have been installed as many as 5 million times. According to Symantec, CounterClank is a “bot-like” threat that, once installed on an Android device, can steal information and pass it along to a malicious host, and the software can respond to remote commands to carry out certain actions on the Android device. Devices with the software running might see a service running under the name “apperhand,” along with a new Search icon on the home screen.

A selection of the thirteen applications identified by Symantec have been pulled from the Android Market, but it’s not clear whether the apps were removed because of the presence of the possible malware or for unrelated reasons.

However, another mobile security firm, Lookout, says “Apperhand” isn’t malware at all: instead, they believe it’s an “aggressive form of ad network” that doesn’t have any malicious behaviors…but definitely pushes the limits of what users might expect an ad-enabled app to do.

“Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud,” Lookout wrote on its site. “Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network—not malware.”

According to Lookout, Apperhand pushes the envelope for ad network SDKs by including the capability to place a search icon on the mobile desktop, placing advertising in the Android device’s notification bar, and push bookmarks to the device’s mobile browser. Lookout admits they aren’t fond of these practices, but they don’t believe they meet the threshold for malware: the search engine, bookmarks, and notifications do no appear to be malicious. Lookout also notes that while Apperhand does forward along uniquely identifiable information, the same is true for nearly all ad networks, and Apperhand is obfuscating the data before it’s transmitted.

Both companies say they are continuing to investigate the software.

[Update 31-Jan-2012: Symantec has issued a follow-up detailing some of the Apperhand functions, and says they’ve confirmed the Apperhand code comes from a developer that publishes an SDK for monetizing Android applications. Like Lookout, Symantec questions Apperhand’s functions—including setting up home screen icons and pushing bookmarks without disclosure—but now stops short of calling it malware.]