Symantec Claims it Found Major Malware Problem on Android; Lookout Disputes

[dgstorm]

We have an interesting little "soap opera" drama potentially brewing between a couple of software makers in the Android world. Apparently, the software giant, Symantec (makers of Norton Antivirus) have started spreading the word on the largest spread of malware infections they have ever found on Android. This infection supposedly up to 5 Million users. Interestingly, in the same breath that they claim that this malware affects millions of users, they also say that the threat level is "very low". They are claiming that the software, called Android.Counterclank is a Trojan horse that steals information. Supposedly the malicious code is grafted in a package called com.apperhand, and that it comes in several games, including the ones listed below:

Supposedly, this software can do the following:

• Copy bookmarks on the device
• Copy opt out details
• Copy push notifications
• Copy shortcuts
• Identify the last executed command
• Modify the browser’s home page
• Steal build information (for example: brand, device, manufacturer, model, OS, etc.)

The drama comes from the fact that Symantec's chief competitor, Lookout Mobile Software disputes their findings and says that the software is legitimate. Here's a quote from the AndroidPolice article with more details,

A major competitor, Lookout Mobile Security, a company we support here at TalkAndroid, say that this isn’t malware and is legitimate. The apperhand package is actually an aggressive advertising component, and part of a modified version of the “ChoopCheec” platform or “Plankton” SDK that caused a stir in June 2011. This newer version is cleaner, and Lookout said the following:

• It is capable of identifying the user uniquely by their IMEI number, for instance. But unlike some networks, this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data. (That’s a good thing.)
• The SDK has the capability to deliver Push Notification ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
• The SDK drops a search icon onto the desktop. Again, we consider bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe. In this case, it is simply a link to a search engine.
• The SDK also has the capability to push bookmarks to the browser. In our opinion, this is crosses a line; although we do not believe this is cause to classify the SDK as malware.

And finally Lookout said:

“Of the applications that were originally identified as malicious, a subset of them have subsequently been pulled from the Android Market. However, it’s important to note that this does not include all identified applications, and reasons for removal may also include content, copyright, or other violations of the Android Market’s Terms of Service.”

It's interesting to see two anti-malware companies in conflict with one another, and it is more interesting to note that one of them is actually not taking the easy road by jumping on the bandwagon of creating a scare-tactic. Most savvy Android users know that most malware threats in Android tend to be overblown by the companies that sell anti-malware products. That's not to say that malware should be ignored or isn't a problem, but every report that comes out seems to act like the sky is falling. What is your perspective on this interesting little spat.

Source: Technoblog - MSNBC/MSN and TalkAndroid

[tjk629]

I HATE those push notifications ads. I had this amazing halloween live wallpaper and it came with those. Got rid of that app ASAP.

[2THEXTRM]

These companies don't make as much money if there is no threat. It's been established that some of them are not below creating that threat themselves and release into the wild. I would believe symantec at this point but they themselves are the king of intrusive and bloated resource hogging programs.

Sent from my VTAB1008 using DroidForums

[kodiak799]

Somewhat agree with the above poster. These guys are salivating over the potential of the Android user base. They can't make any money off that if there isn't a threat. Symantec SHOULD be fairly above-board, but that doesn't mean they don't overhype and grossly exaggerate threats. And they are actually having some success - you have VZW reps recommending the software and a fair amount of novice/average users seem to think they need the protection.

For me it's pretty simple - I just don't do anything sensitive on my phone. Biggest threat to me would be someone getting my gmail password and, potentially, getting my CC info used in the google market (or Amazon). Not sure they could get my CC info with my account password, but you have fraud protection with your CC and then just occasionally change your passwords. There is some convenience aspect to doing online banking/financial transactions, but aside from being a daytrader where I maybe couldn't wait a few hours to get to my pc, I can't think of a reason I need to do anything sensitive on my phone right that instant.

I use Lastpass on my computer, but I don't use it on my phone for the same reason. If I lose my phone, I'm not really at risk of anything. Change a few passwords and cancel my service and I'm set.

[DroidMastar2]

Looks like i will be removing lookout from my phone... i don't agree with their philosophy on what malware is... and though I loathe Symantec (whose antivirus on the pc is almost like malware, just try and uninstall that crap) I have to agree with them on this.

[DroidMastar2]

Somewhat agree with the above poster. These guys are salivating over the potential of the Android user base. They can't make any money off that if there isn't a threat. Symantec SHOULD be fairly above-board, but that doesn't mean they don't overhype and grossly exaggerate threats. And they are actually having some success - you have VZW reps recommending the software and a fair amount of novice/average users seem to think they need the protection.

For me it's pretty simple - I just don't do anything sensitive on my phone. Biggest threat to me would be someone getting my gmail password and, potentially, getting my CC info used in the google market (or Amazon). Not sure they could get my CC info with my account password, but you have fraud protection with your CC and then just occasionally change your passwords. There is some convenience aspect to doing online banking/financial transactions, but aside from being a daytrader where I maybe couldn't wait a few hours to get to my pc, I can't think of a reason I need to do anything sensitive on my phone right that instant.

I use Lastpass on my computer, but I don't use it on my phone for the same reason. If I lose my phone, I'm not really at risk of anything. Change a few passwords and cancel my service and I'm set.

The focus for the future of computer tech. is mobile technology. Being able to do everything on the go. One of the biggest merchandising fronts is being able to access, connect, utilize data and information while on the move using only one device. For the most part and in many cases that device being "your" cell phone. So with progression, more users will move towards this idea, (maybe even yourself)... Wouldn't you rather have the company/app protecting your data site malicious software/apps even if they are of minimal threat?

[akhenax]

The names of some of those apps are no surprise to me that they contain malicious code. "Sexy Girls Photo Game"...you are asking for it IMHO.

[metalspring]

sexy girls puzzle? sexy woman puzzle? sexy girls photo game? and stripper touch girl? anyone who knows anything should realize those types of things are nearly always ridden with malware and viruses...

[kodiak799]

The focus for the future of computer tech. is mobile technology. Being able to do everything on the go. One of the biggest merchandising fronts is being able to access, connect, utilize data and information while on the move using only one device. For the most part and in many cases that device being "your" cell phone. So with progression, more users will move towards this idea, (maybe even yourself)... Wouldn't you rather have the company/app protecting your data site malicious software/apps even if they are of minimal threat?

You're speaking of a convenience of no real value. I don't access my banking info every day, or even every week. There is 0 reason to have to access that from my phone. Perhaps one day when the smartphone IS my laptop/pc, but we are several years away from that. Even then, I will probably always have a pc or netbook at home where I keep sensitive tax and banking records because there just isn't need to have access to it everywhere I go.