Android.Counterclank: Android Market Trojan Debacle Unfolds

Here are the 13 free games on the Android Market that Symantec claims are spreading the trojan Android Counterclank. Two days after Symantec posted its threat warning, several of the games listed are still up on the Google Android Market. Source: Symantec

Two days after antivirus maker Symantec outed three software publishers for embedding spyware in their apps, some of the 13 free games from makers iApps7, Ogre Games and redmicapps are still on the Google Android market.

Reps from Google or the three appmakers did not return calls or emails for comment as of early Sunday evening PT. And though at least one security firm has taken with issue with Symantec’s portrayal of this as a huge malware outbreak, most of the games are coming down off the Android Market.

Android.Counterclank is a derivative of Android.Tonclank, says Symantec. It’s a medium risk Trojan, reps add, saying it essentially provides a back door for security details, settings and browsing history to leak from your Android phone. Symantec competitor and malware security firm Lookout Mobile says the so-called spyware is just an “aggressive ad network.” More on that later in this post. Either way you want to know if you’ve got it.

Here’s everything you need to know.

First, here is a listing of the games Symantec says is spreading what it calls “the worst malware” botnet infection ever, affecting five million Android users or more worldwide.

UPDATE: 4:30 PT 29 Jan

All the Ogre Games are still on the Android Market. The iApps7 Inc. game Heart Live Wallpaper is the only iApps7 infected game still listed. Two of the redmicapps games remain up — the puzzle games listed below.

Symantec’s updated Android.Counterclank page now describes the bot’s operation in detail:

The listed apps all contain a similar package called com.apperhand, which has functionality similar to com.plankton found in Android.Tonclank and may perform the following actions on the compromised device:
Copy bookmarks on the device
Copy opt out details
Copy push notifications
Copy shortcuts
Identify the last executed command
Modify the browser’s home page
Steal build information (for example: brand, device, manufacturer, model, OS, etc.)

The Trojan may attempt to connect to the following remote locations:
[http://]www.apperhand.com/ProtocolGW/prot[REMOVED]
[http://]www.searchmobileonline.com/[CATE[REMOVED]
Applications from these publishers include but are not limited to the following:
com.iapps.hitterrorist
com.iapps.hitterroristpro
com.christmasgame.balloon
com.christmasgame.deal
com.redmicapps.puzzles.ladies3

The Ogre Games trojan has additional mischief built in, Symantec added. It alleges that trojan Applications from Ogre Games have the additional functionality to retrieve the following information from the device:

Android ID
IMEI
IMSI
MAC address
SIM serial number</blockquote>

In a blog post, Lookout Security says its competitor Symantec is making too much of this. It isn’t malware, that company says, but adware it describes more fully in the excerpt I include below:

It’s part of an advertising software development kit that’s a modified version of the “ChoopCheec” platform” or “Plankton” SDK that was the focus of some privacy concerns in June 2011. This newer version is cleaner, but it still has capabilities common to many ad networks. Writes Lookout:

•It is capable of identifying the user uniquely by their IMEI number, for instance. But unlike some networks, this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data. (That’s a good thing.)
•The SDK has the capability to deliver “Push Notification” ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
•The SDK drops a search icon onto the desktop. Again, we consider bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe. In this case, it is simply a link to a search engine.
•The SDK also has the capability to push bookmarks to the browser. In our opinion, this is crosses a line; although we do not believe this is cause to classify the SDK as malware.

Whatever you call it, malware or adware, no one is debating the fact that these apps create a process called apperhand. This sends personal information about the phone to a server on the Internet so it is retrievable.

Additionally, it uses the trojan to log user activity, copy bookmarks and change the browser homepage.

Though most of this is done in the background, the application also puts search icons on the home screen, which makes its presence very obvious. The appmakers, listed by Symantec as iApps7 Inc, Ogre Games, and redmicapps, each displayed a notice in some of app descriptions that state the “search shortcut on your bookmarks … will help us bring you more cool apps like this in the future.” Adware? Malware?

A little of both.

According to this excellent Android tutorial site, here’s some background:

Like Tonclank, Counterclank … may also be used to obtain more details and present advertisements on cellular cell phone devices.

Android.Counterclank latches on to the main plan in a package known as the “apperhand.” When that package is run, a service with the same name may be seen running on a influenced product or service.

Users may also decide their product or service has been polluted by Os.Counterclank if they see this search icon on the homescreen of their phone or dietary supplement.

Want to get rid of Android.Counterclank? Here’s what Symantec recommends.

3 Comments