Monday, January 30, 2012

Android Trojans downloaded by millions, still on Android Market

Symantec last week identified 13 new malicious applications on the Android Market, saying the combined download figures—reportedly up to 5 million—make it "the highest distribution of any malware identified so far this year." The applications use Android.Counterclank, which Symantec says is "a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device."
We found six of the apps from three publishers still appearing on the Android market Monday morning. Symantec calls Android.Counterclank a Trojan, and Google's Android Market policies specifically ban Trojans and other types of malware. On the other hand, Symantec classifies Android.Counterclank as having "very low" risk, and the app publishers barely seem interested in hiding the programs' capabilities.
One such app (link is probably NSFW) identified by Symantec as a Trojan contains "write browser's history and bookmarks" under its list of permissions. This is coupled with a generic warning from Google that "Malicious applications can use this to erase or modify your Browser's data." Another app on Symantec's list is "Deal or BE Millionaire," and one user review from more than two weeks ago warns, "beware malware... every time you run this game, a 'search' icon gets added randomly to one of your screens. I keep deleting the icon, but it always reappears. If you tap the icon you get a page that looks suspiciously like the Google search page." Symantec says the presence of the search icon on the home screen is one sign of Android.Counterclank infection.
Symantec says the apps can "copy bookmarks on the device, copy opt out details, copy push notifications, copy shortcuts, identify the last executed command, modify the browser's home page, steal build information," and retrieve device data such as the Android ID, MAC address and SIM serial number. We've asked Google if the company plans to remove all of these apps from the Market and will provide an update as we get new information.
UPDATE: As one commenter points out, Lookout Mobile Security has a different take on the matter, that Android.Counterclank is not malware but "an aggressive form of an ad network." While these apps contain software that is annoying and that average users do not want, Lookout notes that it isn't designed to commit identity theft or financial fraud. We've also learned that several of the apps were pulled from the Android market because they violated Android Market policies unrelated to malware, such as trademark violations or artificially increasing ratings.