We have an interesting little "soap opera" drama potentially brewing between a couple of software makers in the Android world. Apparently, the software giant, Symantec (makers of Norton Antivirus) have started spreading the word on the largest spread of malware infections they have ever found on Android. This infection supposedly up to 5 Million users. Interestingly, in the same breath that they claim that this malware affects millions of users, they also say that the threat level is "very low". They are claiming that the software, called Android.Counterclank is a Trojan horse that steals information. Supposedly the malicious code is grafted in a package called com.apperhand, and that it comes in several games, including the ones listed below:
Supposedly, this software can do the following:
- Copy bookmarks on the device
- Copy opt out details
- Copy push notifications
- Copy shortcuts
- Identify the last executed command
- Modify the browser’s home page
- Steal build information (for example: brand, device, manufacturer, model, OS, etc.)
The drama comes from the fact that Symantec's chief competitor, Lookout Mobile Software disputes their findings and says that the software is legitimate. Here's a quote from the AndroidPolice article with more details,
It's interesting to see two anti-malware companies in conflict with one another, and it is more interesting to note that one of them is actually not taking the easy road by jumping on the bandwagon of creating a scare-tactic. Most savvy Android users know that most malware threats in Android tend to be overblown by the companies that sell anti-malware products. That's not to say that malware should be ignored or isn't a problem, but every report that comes out seems to act like the sky is falling. What is your perspective on this interesting little spat.A major competitor, Lookout Mobile Security, a company we support here at TalkAndroid, say that this isn’t malware and is legitimate. The apperhand package is actually an aggressive advertising component, and part of a modified version of the “ChoopCheec” platform or “Plankton” SDK that caused a stir in June 2011. This newer version is cleaner, and Lookout said the following:
- It is capable of identifying the user uniquely by their IMEI number, for instance. But unlike some networks, this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data. (That’s a good thing.)
- The SDK has the capability to deliver Push Notification ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
- The SDK drops a search icon onto the desktop. Again, we consider bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe. In this case, it is simply a link to a search engine.
- The SDK also has the capability to push bookmarks to the browser. In our opinion, this is crosses a line; although we do not believe this is cause to classify the SDK as malware.
And finally Lookout said:
“Of the applications that were originally identified as malicious, a subset of them have subsequently been pulled from the Android Market. However, it’s important to note that this does not include all identified applications, and reasons for removal may also include content, copyright, or other violations of the Android Market’s Terms of Service.”
Source: Technoblog - MSNBC/MSN and TalkAndroid