Largest Android Malware Campaign Discovered

January 28, 2012
2 829 68 5

If you downloaded something off the Android Market today, there is a chance that you are one of the 5 million users who have been duped by the largest-ever Android malware campaign. Symantec has dubbed this as the ‘Android.Counterclank’ and was found on 13 infected apps created by three different publishers. The titles of these infected apps include ‘Counter Strike Ground Force’ and ‘Sexy Girls Puzzle.’ Unfortunately of these infected apps were still found available on the market as of 3pm Friday.

In an interview, Symantec’s Security Response Team Director, Kevin Haley said:

“They don’t appear to be real publishers. There aren’t rebundled apps, as we’ve seen so many times before.”

This was in reference to a common tactic which Android malware makers use to deceive innocent users into downloading the infected app. They would normally repackage one legitimate app with an attack code before re-releasing it to the marketplace hoping that this will confuse users to download the fake along with the one that’s real.

Symantec has put an estimate number of the downloaded apps; something the Android Market has only shown as a range. By combining the download totals of the 13 apps, Symantec was able to derive a figure between 1-5 million. “Yes, this is the largest malware [outbreak] on the Android Market.” Haley admitted.

The malware is actually a Trojan that attacks Android smartphones. Upon installation, it collects a wide scope of data, including the handset maker and bookmark copies. Moreover, it modifies the home page of the browser. As a result, hackers have earned some money from the malware by pushing some unwanted advertisements on the compromised Android devices.

One of the reasons why the malware has affected such a huge number of Android users is because they do not bother reading privacy agreements. They simply approve these apps, without even reading information on them.

If you were the suspicious type, you might wonder why they’re asking for permission to modify the browser or transmit GPS coordinates,” Haley said. “But most people don’t bother.”

If you can still remember the Trojan horse discovered last June 2011 called the Android.Tonclank, today’s malware is a minor variation of it.

Even though the malware was only discovered yesterday, some of the 13 infected apps have already been on the Android Market for at least a month. This is based on the revision dates posted on them. Even Android users did not notice anything fishy.

One user downloaded ‘Deal & Be Millionaire’ last January 16 and had this to say about the app:

The game is decent… but every time you run this game, a ‘search icon gets added randomly to one of your screens. I keep deleting the icon, but it always reappears. If you tap the icon you get a page that looks suspiciously like the Google search page.”

Deal & Be Millionaire is one of the 13 infected apps.

Comments

  • AppleFUD

    The #1 preventable problem with Android that causes me to recommended other devices to people–yes, some people just aren’t smart enough to not download crap apps.

    No app market will be 100% safe but it’s just too easy to get bad apps into the Android ecosystem. IMHO I think this will be a big bonus to Amazon over time if it continues.

    • http://twitter.com/MysteriousDiary Leif

      Well so far there wasn’t really anything which harmed users. Most security companies just want to scare users to sell their own products. The only company who shares more details than just scaring is lookout. Most of the malware is in 3rd party markets and even there it’s more harmless stuff. Lookout published the names of the top 3 android malware and those aren’t really dangerous. place 1 and 2 are apps who offer app downloads for premium sms, and place 3 is an app which asks the user to root it’s phoneand then asks for root permisions.

      The real security issue is still the user itself and it’s lazyness with passwords. Just take a look at iOS which has since years problems with fraud in-app payments (http://threatpost.com/en_us/blogs/game-maker-40-percent-itunes-app-purchases-are-fraud-031011). Those doesn’t come from malware apps I guess, but because of security issues or users who don’t care enough about their passwords. A few times a week I see posts from people who lost money in iOS market because of fraud, on Android it didn’t happened so far but it’s just a question of time until we see that happening there too I guess. The problem aren’t those apps, so far they weren’t really harmful. The biggest issues are user who use one password for multiple things. Everyone could just make a common app which requires a user registration and you could easily get it into any AppStore – doesn’t matter if it’s controlled or not. Nobody can control what the developer do with the “legal” gained data in the background. I guess maybe 30%(?) of the email/pw combinations would also work for iTunes or Google Market Accounts.

      • AppleFUD

        Oh, I agree with your points. The user will always be the weak point & security firms are usually using fear to sell their wares however, the Android Market is far easier to get anything in and it seems that it is far easier to setup fake dev accounts. RIM seems to be very strict about setting up dev accounts thus, they have a clear path to track a person down if they try to do something harmful, and that looks like the only real way to vet a market imo–be strict setting up dev accounts & require some hoop jumping and verification form the developer. But I do think at this point in time Google and apple care more about the numbers game so they can say they have as many or more apps than the other.

  • http://twitter.com/MysteriousDiary Leif

    Check Lookouts statement about this. They called the behavior of symantec “premature”.

    Those aren’t a trojan or malware…they’re not more than some kind of new adware.

    http://blog.mylookout.com/blog/2012/01/27/lookout%E2%80%99s-take-on-the-%E2%80%98apperhand%E2%80%99-sdk-aka-android-counterclank/

  • Anonymous

    Unfortunately this is the biggest load of crap I have ever seen.
    Shame on symantec for this fud.
    1. Oh noes, they got my mac address! Doom!
    2. The search/bookmark is a common advertising method as seen here: airpush.com

    Now we will just see more iDorks complaining that android is infested, when it isn’t, all the while 90% of iApps are uploading their contact info without their knowledge..