A recently discovered piece of malware could be hidden in over one million Android devices, making it the most highly distributed piece of mobile malware identified this year, according to Symantec.
On a blog post on the Symantec web site last week, the security company says the Android.Counterclank malware is installed on between one million and five million devices.
The bot-like software is grafted on to vector applications using a package called Apperhand, and can recieve and carry out commands remotely, as well as having the potential to steal data from infected devices.
Symantec has so far identified 13 gaming apps from multiple developers carrying the malware, including several with sexual themes.
A quick look on the Android Market for one such game, Sexy Girls Puzzle by redmicapps, has over 5000 downloads. Another game, Ballon Game by Ogre Games, has over 500,000 downloads and a four star rating.
Symantec says users can identify if they are infected by looking at their running processes for a service called ‘apperhand’, or if they notice a new search icon above the homescreen.
However, mobile security company Lookout doubts the claim by Symantec that the Apperhand package is malware, and says instead it is a particularly agressive piece of adware.
Lookout has determined the Apperhand package to be a part of a software development kit (SDK) used by third-party app developers to monetise their apps through ad revenue.
Devices with Apperhand have their searches redirected through www.searchwebmobile.com, which offers app developers monetary compensation for the service.
In a response to the Symantec post, Lookout says “At this point, it appears that what we’re seeing is an example of an ad network that pushes the lines of privacy.”
Lookout claims the features shown by the Android.Counterclank and Apperhand packages are not dissimilar to those found in other ad network SDKs, like Planktoon or ChoopCheec.
“Almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.”
Symantec acknowledged the criticism on its initial blog post with another blog post yesterday, saying this was arguing the semantics of what does and does not constitute malware.
“When classifying applications, our focus is on whether users want to be informed of the application's behaviour, allowing them to make a more informed choice regarding whether to install it,” says Symantec.
“The situation we find ourselves in is similar to when Adware, Spyware, and Potentially Unwanted Applications first made appearances on Windows. Many security vendors did not initially detect these applications, but eventually, and with the universal approval of computer users, security companies chose to notify users of these types of applications.”
Features of Apperhand package (from Symantec blog):
ACTIVATION – Causes a webpage to be displayed. The feature appears to be designed to display a webpage with a EULA (end-user license agreement), but our testing was unable to reproduce applications showing such a page.
HOMEPAGE – Sets the browser’s homepage.
BOOKMARKS – Create or request bookmarks. In our testing, we have seen this feature actively used to send all the bookmarks of a device to apperhand.com.
SHORTCUTS – Create shortcuts on the home screen.