George Santayana said a great deal more than “Those who cannot remember the past are condemned to repeat it,” but it’s probably the one quotation that nearly everyone in the security field will remember approximately verbatim.
For what (if anything) will I be remembered? Apparently, it’s likely to be a throwaway remark I made at the end of an interview with the UK journalist Steve Gold
about a year ago, when the conversation turned to Android security. Apparently, I said something to the effect of “Android is terrifying.”
I don’t, in fact, have panic attacks in the presence of certain smartphones, but I guess the remark got more attention than “Security researcher anticipates increased volumes of Android malware in the next year or so” would have done. Frankly, that would probably have been seen as an insight with as much significance as “It will rain soon in Seattle” -- had not DroidDream, arguably the first major Android malware, hit the world’s radar just a day or two after.
Now the meme has resurfaced
in the context of Symantec’s claim that there have been between 1 million and 5 million downloads of 13 apps infected with the malicious code called Android.Counterclank. In fact, the threat summary on Symantec’s own Website is considerably more restrained (1,000+ infections).
The trouble is that there’s a certain amount of debate as to whether the Android.Counterclank code is actually malicious. After all, it does actually ask during the installation process for permission to access some network and phone status data. The Android AV developer Lookout considers Counterclank to be “aggressive advertising,” rather than malware. And according to The H, Symantec is scaremongering.
The apparent difficulty lies in the definition of malware. Lookout has a (somewhat circular) definition that includes the phrase “designed to engage in malicious behaviour.” Well, yes, malware is a portmanteau word derived from MALicious softWARE. However, the company’s definition of malice is extraordinarily narrow -- “used to steal personal info... that could result in identity theft or financial fraud.”
There isn’t actually a universally accepted definition of malware, even in the AV industry -- heck, we never even came up with universal definitions for “virus” or “worm” or “Trojan” -- but as we use it in practical terms, it covers a lot more than that, including deliberate destruction of data or services, encryption for purposes of extortion, carrying a “joke” payload, and even doing nothing but replicating. (The last category includes most traditional viruses, as it happens.)
Symantec is, I imagine, concerned about the range of information that is silently accessed about the phone and its user, along with the very close similarity of some of the SDK code to pre-existing code found in earlier apps that are unequivocally considered to be malware. In fact, other vendors are detecting Counterclank using the same heuristic detections as Plankton/Tonclank, and they have been doing so for several months.
Lookout’s blog implies that, because the latest batch of programs do not use blatant backdoor and data-stealing functionality, the classification has changed from “malicious” to what many vendors call “possibly unwanted.” I remain unconvinced. Changing the browser’s home page might be considered “aggressive advertising,” but unless it’s specifically permitted by the user -- and Counterclank goes beyond the list of permissions requested, according to Symantec’s description -- it sounds very much like unauthorized modification to me, and that’s illegal in many jurisdictions (including here in the UK). In fact, while the underlying mechanism differs, misdirecting to a site that suits the software rather than the system user is uncomfortably close to the DNSchanger class of malware.
Google has removed some of the apps said to contain the Counterclank code from the market. However, five apps are still available, even though they were flagged by Symantec as containing the same “apperhand” code to which it has given the name Counterclank. It appears that Google considers
these apps to meet their terms of service. Given the modifications that Counterclank is capable of making to the user’s system, this decision seems controversial, to say the least.
— David Harley has worked with ESET North America -- where he holds the position of Senior Research Fellow -- since 2006.