Symantec recants Android malware claims

Now agrees with rival that apps use aggressive ad network code, declines to label them 'adware'

Gregg Keizer (Computerworld (US))
02 February, 2012 08:03
Comments

Symantec has backtracked from assertions last week that 13 Android apps distributed by Google's Android Market were malicious, and now says that the code in question comes from an aggressive ad network that provides revenue to the smartphone programs.

The security firm's new stance was in line with that taken by Lookout Security, which on Friday questioned Symantec's conclusions and instead said that the apps displayed the same behavior as others funded by 10 or more similar ad networks.

Symantec dubbed the code embedded within the 13 apps "Android.Counterclank," and classified it as a Trojan horse, or malware. According to Symantec's researchers, the malware was a variation on "Android.TonClank," called "Plankton" by researchers at North Carolina State University, another Trojan first uncovered in June 2011.

The apps containing the Android.Counterclank code had been downloaded between 1 million and 5 million times, said Symantec, which used the Android Market's own published numbers to arrive at that range. That made it the "largest malware [outbreak] on the Android Market," Kevin Haley, a director with Symantec's security response team, said in an interview last Friday.

In a blog post Monday, Symantec retracted its earlier allegations and said that the Android.Counterclank code comes from an SDK, or software development kit, distributed to "third parties to help them monetize their applications, primarily through search."

Symantec declined to name the ad network that distributes the SDK responsible for the code it detects as Android.Counterclank.

Both Symantec and Lookout have noted that the ad network code used by the 13 apps is more aggressive than the norm.

"In general, it's changing the home page of the [smartphone's] browser, adding additional shortcuts to the desktop, adding and even removing bookmarks," said Haley in a follow-up interview today.

So, if the Android.Counterclank apps are not malicious, what are they? Adware, the name pinned to unwanted PC software in the last decade?

Haley wasn't ready or willing to assign a label.

"It took a while for some consensus then about what was adware or spyware, and what wasn't," said Haley, talking about the intense debate five-to-seven years ago about those terms. "But eventually that consensus was reached."

Symantec will still identify apps that include Android.Counterclank -- a name it's also continuing to use -- but will not delete them, said Haley.

"We will come up with labels when it's appropriate," said Halley. "Now, we will make sure that we tell customers what's going on on their phones. We'll tell them what it does, and let them make the decision whether they want to make the trade-off and keep the app."

That was essentially the same practices that security companies used initially during the debates over adware and spyware on Windows PCs. Eventually, most antivirus vendors moved to a more forceful approach, and started to automatically remove such software.

"This is an inevitable discussion on mobile," said Haley. "We're going to see app vendors experiment with how to monetize their apps on Android phones, more so on mobile than on the PC, because mobile apps are sold at very inexpensive prices or given away for free. It's understandable that we'll see some pushing the boundaries, or even going beyond them."

Symantec said it reported the 13 apps with the Android.Counterclank code to Google, but that Google said the apps did not violate any of its policies, and would remain in the Android Market.

"We expect in the future there may be many similar situations where we will inform users about an application, but the application will remain in the Google Android Market," Symantec noted.

Google has declined to comment on Symantec's original malware claims or on the counter-arguments made by Lookout Security.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about mobile apps and services in Computerworld's Mobile Apps and Services Topic Center.

Nominations for the 2012 ARN IT Industry Awards open on Tuesday, June 12.

Bookmark this page
Share this article
- facebook
- slashdot
- digg
- Reddit
- stumbleupon
- linkedin
- twitter
Got more on this story? Email ARN
Follow ARN on twitter

More about: Apple, etwork, Google, Microsoft, Symantec, Topic

References show all

Comments

Post new comment

Share
Share this article
- google+
- facebook facebook
- slashdot slashdot
- digg digg
- Reddit Reddit
- stumbleupon stumbleupon
- linkedin linkedin
- twitter twitter
print
email
Bookmark

Related Coverage

Related Whitepapers

AVG Internet Security 2012 10 Pack Retail Specials

More details »

ARN Vendor Directory

Find vendors by name | category

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Featured Resources

Market Potential-Strategy Guide to the Active Archive Market

The active archive market is a growing segment where tape is seen as part of a disk or network fileystem. This means that to an end user disk and tape are “blended” and whether file is held on disk or tape is “invisible” to the end user. The active archive market is the fastest growing space in the storage industry and allows direct end user access to tape through a file system front end.

Most Popular Resource Papers