Android Apps Security Alert: sneaky Trojan adware potentially affecting Millions

by Antonio Wells Jan 30, 2012 9:56 AM – 8 Comments

Recently, anti-virus & anti-malware company Symantec alerted the public of Android.Counterclank and categories it as a very low threat Trojan that steals personal information; which infected more than 5 million people. Mobile threat and anti-virus company Lookout posted in their blog and disagreed with the assessment. They felt it was “an aggressive form of ad network and should be taken seriously.” Symantec illustrates the software identifies your device unique IMEI and sends the details off to an unknown host without your knowledge or consent. Lookout’s perspective took notice of the potential malware as a nuisance that adds “Search” icons to your homescreen, adds bookmarks to browser and pushes ads in your notification bar. However, I have my own opinion on this and would like to label it as sneaky “Adware“!

I have been following this particular variant of software for a month prior to the breaking news, however, needed more information to gather an assessment. Whatever you want to call it; malware, adware or crapware, I estimate more than 10 million have been infected. My experience with the software came from installing free MP3 downloader apps such as MP3 Music Download Pro, MP3 Music Download V2 and Easy Mp3 Downloader for review; in which these 3 apps have a combined minimum total of 12 million downloads.

My Conspiracy Theory…

With a new medium bursting with opportunity to take advantage of unsuspecting suckers there will always be those that gain and lose. Introducing the rise of creative mobile ad networks… these ads are designed to help developers monetize their apps and allow advertisers to reach consumers while the ad network benefit from the collaboration; the mechanism of delivery however is shady.

My theory started when I actually noticed two types of icons placed on the homescreen, two vendors for “Search” and one for “Market”. I’ve noticed the Apperhand search page (which I found was powered powered by InfoSpace search aggregator upon deeper investigation) and the AirPush ad network search page. These search icons bring you to a page that looks similar to Google’s mobile search page, an unsuspecting user might just use it thinking it’s Google’s. When you use the search it does give results, however, riddled with sponsored ad results meant to confuse the user into clicking.

In Conclusion…

I hope this serves as enlightenment for the general public to stay more vigilant about the apps the install onto their devices. As we have learned from past security scares, thoroughly looking at the permissions an app request may not be enough. I would personally predict this behavior will only increase as more ad network spring up to monetize the space or as more people take advantage of opportunities. To get rid of the adware you would have to delete the suspecting app that installed it as simply deleting the “Search” or “Market” icons from your homescreen or Browser bookmarks wont stop the annoying push notification bar ads.

Have you noticed these ads? Share your experience in the comments below!

Tags: Adware, Android Apps, Android Apps Security Alert, Android Security, Android.Counterclank, Apperhand SDK, Lookout Mobile Security, malware, Symantec

Categorised in: Apps Blog, Featured, News

8 Comments

By Jeff on January 30, 2012 at 6:29 pm:

Dude…come on! Stop regurgitating week old news. Lookout Security has already rebutted Symantec’s claims. Not to mention, Symantec always uses scare tactics like this to try and drive more sales for their mobile software. Its the same game just on a new platform.

Reply
- By Antonio Wells on January 30, 2012 at 7:57 pm:
  
  @Gregory based on my experience in this industry, when media sources pick up the story, enlighten unsuspecting users and get them wondering about software like this. The awareness creates good change. For example, many of the apps Symantec flagged, Google has pulled them from the Market. Although I’m unsure if they invoked it in this particular case, Google has a mechanism to remotely pull bad apps from phones. If this practice gets too out of hand, I believe Google will ban most/all suspect apps which will put a damper on the adware operation. In short, regurgitating the story in the media helps, in contrary to what @Jeff thinks.
  
  Reply
  - By Jeff on February 1, 2012 at 11:06 am:
    
    Antonio
    
    There is a difference between regurgitating news that actually is based on facts. You sir are simply helping Symantec with their scare spreading. If you bothered to read more current news and see that nothing you said in your article holds water anymore. Those apps are not malicious, they are adware at best, and do not pose any harm to your phone, your personal information, and they don’t spread like other types of truly malicious wares. You mention your experience in the industry, so why don’t you actually use that experience to gather all of the facts before spewing out old news that just leads to more frantic people instead of well-informed people.
    
    Really, if that is the type of editing being allow on this blog, I will be deleting it from my feeds.
    
    Jeff
    
    Reply
    - By Antonio Wells on February 1, 2012 at 11:21 am:
      
      I think the misunderstanding starts with you clearly not reading the article I wrote… which is OK. However, I clearly state what IS current, that the software is “Adware”. I even placed it in bold. Quote:
      
      However, I have my own opinion on this and would like to label it as sneaky “Adware“!
      
      The story breaks down as so:
      
      Start with the scare tactic headline, then the rebuttal, then my own assessment, followed by my theories of its origins, and concluding with enlightenment and tips on how to remove it if infected. Your opinion is definitely appreciated, however, had you read it you probably would agree. Lastly, you are more than welcome to remove us from your feed.
      
      Have a great day!
      
      Reply
      - By Jeff on February 1, 2012 at 3:18 pm:
        
        No…the misunderstanding comes from you making assumptions that just are not true and that you reported things that were a week old and failed to mention the rebuttals by Lookout Security, who specializes in Android based malware/virus research. Then the article posted by Computer World today stating that Symantec recanted the very claims that you seem to be bent on reporting as true. There is clearly a difference between real industry experience, vs. being able to re-report some other blog or company website just because it sounded good to you.
        
        I did read your article prior to my first comment and still feel you were heavily leaning towards supporting Symantec’s claims without doing any real fact finding so you could report the truth. Face it, journalism is dead now that anyone can write blogs and claim they are a journalist.
      - By Antonio Wells on February 1, 2012 at 3:33 pm:
        
        It’s clear we agree to disagree. It’s also clear you choose to disregard plain “black and white”, which again is OK.
        
        The story broke on the 27th, I choose to wait on posting as I tried to get official responses from the adware companies behind it, but to no avail. My story posted on the 30th, which I guess is a week later according to your standards.
        
        Again, had you read you would notice my link and quote in the third sentence directly to what Lookout rebutted with. The article has not been updated and in its original form.
        
        Lastly, and I can’t stress this enough, had you read my article you would know in summary it’s about creating the awareness of the “adware“, it’s theorized origins, and how to stay vigilant and get rid of it. Why, the article isn’t even about Symantec’s scare tactics. The words “Symantec” or “malware” aren’t even mentioned anymore after the first paragraph.
        
        So before you go and jump to conclusions about someone’s reporting abilities, be sure to have a valid challenge. Else it’s a waste of time. Have yourself a good day.
By Gregory F Phillips on January 30, 2012 at 7:14 pm:

So after reading this review, I remembered that I had seen a new search icon on one of my home menu pages on my Sony Xperia x10 phone. And the search icon does in fact look like the Google search page however the url is:

**DON”T CLICK JUST FOR REPORTING ONLY**
http://www.searchmobileonline.com

Is there other ways to report these issues?

Reply
By vf1568 on February 1, 2012 at 7:25 pm:

Hi I have a galaxy 10 and am looking for an activex app. Does anyone know if there is one available. The salesman showed me one that showed up for the phones on the android market but I cannot seem to find it.

Reply