Malvertising Or Just Advertising? The Curious Case Of Counterclank

Security firm Symantec is sounding the alarm about a mobile device threat they call ‘Counterclank,’ a Trojan horse program that they say may have infected as many as five million devices through downloads on the Official Android Market. However, other security researchers aren’t so sure, and wonder whether Counterclank isn’t anything more than an aggressive advertising campaign.

AndroidSecurity firm Symantec is sounding the alarm about a mobile device threat they call ‘Counterclank,’ a Trojan horse program that they say may have infected as many as five million devices through downloads on the Official Android Market. However, other security researchers aren’t so sure, and wonder whether Counterclank isn’t anything more than an aggressive advertising campaign.

Counterclank is bundled with mobile applications including Counter Elite Force, Counter Strike Ground Force, CounterStrike, and more than a dozen more, according to Symantec. The company’s security response team call Counterclank a minor modification of an older Trojan known as Tonclank. The company said the information stealing trojan represents a low level of risk despite having the highest distribution rate of any mobile threat the year. But those claims aren’t backed up by other mobile security experts, raising questions about what defines malicious activity in the fast-growing marketplace for mobile applications.

For Symantec, the story is clear. In each of the infected applications the company analyzed, Symantec claims, malicious code is inserted as a package titled “Apperhand.” Once executed, users of compromised devices may see a service running under the same name or there may be a visible search icon on their home screen.

However, the Lookout Blog has a different angle on what they are referring to as the Apperhand SDK. That firm contests Symantec’s claim that Counterclank has compromised some five million devices and refuse to classify Counterclank as a piece of malware at all. Lookout’s analysis pegs the Apperhand SDK as a highly aggressive advertising network that should be taken seriously, but shows no signs of malicious behavior. In other words, Apperhand may be an ad network that pushes the boundaries of privacy, but its not malicious.

Kaspersky Lab’s Android Specialist, Tim Armstrong, agrees with Lookout. Back in October he published an article on Securelist detailing a concerning new trend in application advertising. Advertisers, for all intents and purposes, are mimicking Android Trojans by siphoning much of the same personal information that Android Trojans are designed to steal, he told Threatpost.

Mobile security is an increasing concern for individuals as well as employers. Employee-driven adoption of smart phones like Apple’s iPhone and Google Android is transforming corporate IT. And, though malware for mobile platforms is still rare, online criminals, scam artists and advanced attackers are increasingly interested in attacks that target mobile platforms and users.

Suggested articles