Subscribe to CIO Magazine »

Widely distributed Android malware hidden in adult games

Over one million infected Android devices infected with 'Counterclank' malware according to Symantec.

A recently discovered piece of malware could be hidden in over one million Android devices, making it the most highly distributed piece of mobile malware identified this year, according to Symantec.

On a blog post on the Symantec web site last week, the security company says the Android.Counterclank malware is installed on between one million and five million devices.

The bot-like software is grafted on to vector applications using a package called Apperhand, and can recieve and carry out commands remotely, as well as having the potential to steal data from infected devices.

Symantec has so far identified 13 gaming apps from multiple developers carrying the malware, including several with sexual themes.

A quick look on the Android Market for one such game, Sexy Girls Puzzle by redmicapps, has over 5000 downloads. Another game, Ballon Game by Ogre Games, has over 500,000 downloads and a four star rating.

Symantec says users can identify if they are infected by looking at their running processes for a service called ‘apperhand’, or if they notice a new search icon above the homescreen.

However, mobile security company Lookout doubts the claim by Symantec that the Apperhand package is malware, and says instead it is a particularly agressive piece of adware.

Lookout has determined the Apperhand package to be a part of a software development kit (SDK) used by third-party app developers to monetise their apps through ad revenue.

Devices with Apperhand have their searches redirected through, which offers app developers monetary compensation for the service.

In a response to the Symantec post, Lookout says “At this point, it appears that what we’re seeing is an example of an ad network that pushes the lines of privacy.”

Lookout claims the features shown by the Android.Counterclank and Apperhand packages are not dissimilar to those found in other ad network SDKs, like Planktoon or ChoopCheec.

“Almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.”

Symantec acknowledged the criticism on its initial blog post with another blog post yesterday, saying this was arguing the semantics of what does and does not constitute malware.

“When classifying applications, our focus is on whether users want to be informed of the application's behaviour, allowing them to make a more informed choice regarding whether to install it,” says Symantec.

“The situation we find ourselves in is similar to when Adware, Spyware, and Potentially Unwanted Applications first made appearances on Windows. Many security vendors did not initially detect these applications, but eventually, and with the universal approval of computer users, security companies chose to notify users of these types of applications.”

Features of Apperhand package (from Symantec blog):

ACTIVATION – Causes a webpage to be displayed. The feature appears to be designed to display a webpage with a EULA (end-user license agreement), but our testing was unable to reproduce applications showing such a page.

HOMEPAGE – Sets the browser’s homepage.

BOOKMARKS – Create or request bookmarks. In our testing, we have seen this feature actively used to send all the bookmarks of a device to

SHORTCUTS – Create shortcuts on the home screen.

Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
  • City of Davenport, Iowa Conquers VDI Performance
    Like many municipalities, the City of Davenport wanted to transition to the more flexible and efficient IT infrastructure afforded by virtual desktops (VDI). However, the mechanical disk-based array they were using wasn’t able to meet the performance requirements for their initial VDI pilot deployment of 50 VMs. In this case study, we look at how the City of Davenport upgraded its VDI.
    Learn more »
  • 10 essential elements for a secure enterprise mobility strategy
    Best practices for protecting sensitive business information while making people productive from anywhere.
    Learn more »
  • How Flash Storage Changes Everything
    Pure Storage set out with a simple mission: to create a purpose-built storage array that overcomes these barriers. The result is the Pure Storage FlashArray and its tightly-coupled software, the Purity Operating Environment. When compared to a disk array, the FlashArray is: - 10X faster (on both IOPS and latency); - 10X more efficient in power, space, and cooling; - More reliable on enterprise workloads; - So simple that it installs in minutes; and - Less costly than the $5 per GB that is the going rate for performance disk.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments