The issue as to whether the Android.Counterclank attack was a malware or a mere ad network has been much debated last week. Symantec, as the first to report this issue, stated that it was the ‘largest Android malware campaign discovered.’ However, Lookout Security counteracted this report and said that it was not a malware attack, but simply a different ad network strategy.
Earlier, Symantec named the code as Android.Counterclank and classified it as a malware, or a Trojan horse. Based on the findings of their researchers, it was a variation of the ‘Android.TonClank’ malware, called ‘Plankton’ by North Carolina State University researchers. This Trojan was first uncovered in June 2011.
Almost a week later, Symantec backtracked their report and has agreed to Lookout’s assessment on the issue. This has led to the conclusion that the 13 Android apps previously mentioned by Symantec were not really malicious, and instead, had questionable code coming from a very aggressive ad network. The purpose of which, is to provide revenue to the mentioned smartphone programs. This same report was earlier mentioned by Lookout, stating that these apps simply displayed a similar behavior typically funded by 10 or more similar ad networks.
Symantec posted in their blog on Monday that the Android.Counterclank code is from a software development kit (SDK), which was distributed to “third parties to help them monetize their applications, primarily through search.” However, Symantec did not name the ad network responsible for distributing this SDK.
So It’s Not Malware?
Ruling out the possibility that the attack was a malware, people are now asking Symantec what it could be. Some even refer to it as adware, a term used in the last decade to refer to unwanted PC software. But according to Kevin Haley, Symantec’s security response team director, putting a label on the attack has not yet been done.
“It took a while for some consensus then about what was adware or spyware, and what wasn’t,” Haley said, referring to the heated debate on the topic which occurred 5-7 years ago. “But eventually that consensus was reached.”
This meant that Symantec will still continue to use the term Android.Counterclank and will identify apps which include the attack.
“We will come up with labels when it’s appropriate,” Haley said. “Now, we will make sure that we tell customers what’s going on on their phones. We’ll tell them what it does, and let them make the decision whether they want to make the trade-off and keep the app.
“This is an inevitable discussion on mobile. We’re going to see app vendors experiment with how to monetize their apps on Android phones, more so on mobile than on PC, because mobile apps are sold at very inexpensive prices or given away for free. It’s understandable that we’ll see some pushing the boundaries, or even going beyond them.”
According to Google, the 13 apps that had the Android.Counterclank code and reported by Symantec, did not violate any of its policies. As such, they will remain in the Android Market.
“We expect in the future there may be many similar situations where we will inform users about an application, but the application will remain in the Google Android Market,” Symantec confirmed.
On that note, Google has not given any comment on either reports by Symantec and Lookout Security.