Dubious Android apps may not be malware--just ads

Symantec may have mistakenly labeled more than a dozen Android apps as malware, according to security researchers at Verizon-affiliated ICSA Labs.

It's an easy mistake to make, according to Roger Thompson, an ICSA "emerging threats" researcher who authored a blog post on the subject. Thompson suggested that the apps appear to include a new release of an ad platform that merely resembles malware in certain ways.

Symantec recently raised an alarm over an alleged Trojan it dubbed Android.Counterclank, saying its researchers had discovered 13 apps on the Android Market that had millions of downloads combined were "malware" because they could allow an attacker to remotely control the device. But Google refused to remove the apps from the Android market because they weren't violating terms of service or doing anything customers hadn't given permission for.

Symantec said the alleged Trojan could be found in game and entertainment apps such as "Counter Strike Ground Force," "Deal and Be Millionaire" and "Pretty Woman Lingerie Puzzle." The apps are "a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device," Symantec's Irfan Asrar wrote in a blog post.

Android.Counterclank certainly sounded dangerous. Symantec said the alleged Trojan could request permissions to access network, Wi-Fi and Cell-ID information, as well as install shortcuts, read settings, check the phone's current state, open network connections, read and write access of the browsing history, copy bookmarks and retrieve the MAC address, SIM serial number and other device data.

The apps included disclaimers noting that that they were making money by including a search bar shortcut that could be deleted and adding a search app to browser bookmarks.

Symantec backtrack on its assessment that the apps were malware in a blog post earlier this week, noting that "the code in the Tonclank and Counterclank applications comes from the same vendor. The vendor is a company who distributes a SDK (software development kit) to third parties to help them monetize their applications, primarily through search."

Researchers at mobile security firm Lookout initially acknowledged "some concerns" about the apps' functionality, but added:

[A]t this time, and as far as we can tell, it does not meet the standard to be classified as malware or a 'bot.' Consumers should take these apps very seriously as they appear to tread on privacy lines, but they are not necessarily malicious.

Now ICSA Labs is weighing in on the matter. The testing and certification firm has concluded that the apps in question represent a new release of an ad platform "developed to allow Android developers to monetize their apps... not a Trojan, designed to steal information or turn the victim's device into part of an Android botnet."

It's difficult to determine when a Trojan is a Trojan, ICSA Labs said. If you can't observe malicious behavior, such as recording keystrokes, sending premium text messages or downloading other code without permission, you have to reverse engineer the code to see if the capabilities to do those actions are in there, or you have to rely on anti-virus scanners, which can generate false positives, the firm said.

As ICSA's Thompson wrote:

When you have hundreds of thousands of apps, coming from all over the world, from any one of numerous and unknown developers, it's just plain hard to figure out when something has crossed the line from aggressive advertising to outright maliciousness....

What most people don't realize is that Android apps are just zip files, and it is really easy to unzip, add some Trojan code, re-zip it, and stick it out on a warez site, masquerading as a legitimate copy of the original app....

Android is a wonderful, useful and exciting platform, but it turns out that it's a really good idea to only download your apps from well-known companies.