Android Counterclank is (not) malware

Android Counterclank is (not) malware

CounterclankDespite the stint of very cold weather here in Europe, the Android malware scene is definitely warming up.

In SophosLabs, we track the number of malicious Android packages acquired. I have to admit, even I was surprised to find that the number of malicious apps in our database has grown to over 4000, an increase of over 400% since December 2011.

Most of the malicious apps can be found on alternative, usually Russian and Chinese Android marketplaces, where several groups or individuals decided that creating applications that send SMS messages to premium rate numbers or installing additional components is the right way to make some money.

However, occasionally is malware found in the real Android Marketplace where it swiftly gets removed by the Marketplace security team as soon as it is discovered.

One recent example was a bit controversial. Several popular apps, published by at least three developers – iApps7 Inc, Ogre Games and Redmicapps, have been identified by Symantec as malicious and the original story was pushed by the Symantec PR department.

Apps by redmicapps

The claim was later disputed by the team from Lookout in a blog post that gives more details about the functionality of an advertising framework included with the offending apps.

It turns out that the Apperhand framework is related to an advertising framework used more than half a year ago by the Plankton app. I previously wrote that it is not clear whether this framework is malicious or not.

Indeed, we have to go back several years, to the birth of Potentially unwanted applications (PUA) on Windows, which would probably be the best way to describe the applications reporting to They are not inherently created with malicious intent.

Nevertheless, the advertising framework used by the developers to make money from free apps is an issue. If the user does not carefully read the EULA (End User License Agreement), they will end up with unwanted adverts on their device and potentially the loss of personally identifiable information.

Currently, Sophos does not have a PUA category for Android and we think that these apps have no place in a corporate environment. That is why Sophos products detect offending apps as Andr/NewyearL-B.

The race to create malicious packages which will remain undiscovered on the Google Android market for as long as possible is likely underway. These apps could lie dormant until a critical number of devices are infected.

As a consequence, soon we will see more obfuscated examples which will be more difficult to discover.

Until then, one of the better ways of steering clear of Android malware is to install applications strictly from official marketplaces like Google, Amazon or Barnes and Noble.

Stick with the more popular apps that are published by known developers and have been present on the market for a longer time.