Download Free
Learn MoreLookout’s take on the ‘Apperhand’ SDK (aka ‘Android.Counterclank’)
Today, news came out that claimed a particular family of malware, termed ‘Android.Counterclank’, had infected 5 million users. We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously.
This isn’t malware.
The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior. In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.
Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud.
Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware.
We’re researching ad networks closely.
We spend a significant amount of time looking not just at mobile apps, but also at SDKs that are commonly integrated into apps. We’ve recently been focusing heavily on the capabilities of various mobile advertising SDKs. We believe that ad networks are important for the overall mobile ecosystem; however, some advertising networks go beyond the commonly accepted behavior of ad networks with more aggressive tactics.
This particular ad network SDK, com.apperhand, bears similarities to one previously distributed in a number of apps in June of 2011 as the “ChoopCheec platform” or “Plankton”. Early incarnations of this SDK crossed several privacy lines in the data it collected about users, but the current version does appear to have cleaned up its act somewhat. That said, the current SDK has several capabilities that are common to many ad networks:
- It is capable of identifying the user uniquely by their IMEI, for instance, but unlike some networks this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data.
- The SDK has the capability to deliver “Push Notification” ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
- The SDK drops a search icon onto the desktop. Again, we consider it bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe. In this case, it is simply a link to a search engine.
- The SDK also has the capability to push bookmarks to the browser. In our opinion, this crosses a line; although we do not believe this is cause to classify the SDK as malware.
Of the applications that were originally identified as malicious, a subset of them have subsequently been pulled from the Android Market. However, it’s important to note that this does not include all identified applications, and reasons for removal may also include content, copyright, or other violations of the Android Market’s Terms of Service.
We’re continuing our investigation.
At this point, it appears that what we’re seeing is an example of an ad network that pushes the lines of privacy. Over the past few months we have been closely tracking this, and we are seeing a trend of this type of behavior. While this is not malware, we do think that consumers should take it seriously, and we’re actively working on a solution to help users understand whether applications have potentially undesirable behavior such as this while not creating unnecessary worry.
Lookout believes in educating our users about the apps that they’re installing. We’ll have more to share about what we’re working on in this area in the coming weeks – stay tuned.
If you have questions, please comment or write us.
-Lookout
© 2012 Lookout, Inc. All rights reserved. Patents pending.
While most of us hate ads, the ad supported app development model is a legitimate way for developers to get compensated.
Having said that, the question then becomes where do we draw the line in the sand between acceptable and not? As with most things, in the end consumers will decide with the guidance of Lookout and other experts.
[...] Symantec; Lookout Tags: Android Market, IMEI, Latest Android Malware, [...]
[...] [...]
[...] symantec, lookout via: [...]
I’ve been a very happy Lookout customer, but I have to say that the Apperhand situation, and your response to it so far, has me concerned.
While its characteristics may not satisfy your precise definition of malware, it really comes at least very close to that line, and as a customer of Lookout Premium on my Android devices, I want to be protected, or at least be informed when aberrant or undesirable capabilities are in any app that I am in the process of installing. Perhaps user selectable options in the Lookout app which would allow us to personalize the level of protection/notification that we want in our devices would be helpful.
Ha, as a user who checks out permissions… I’d already dodged this bullet (“push bookmarks” was a bridge too far for a standalone app), but thanks Lookout for conveying the true nature of this beast and congratulations on resisting the temptation of labeling everything possible as a ‘virus’.
Symantec deserve their status four pages lower than yours in my search for information on apperhand.
Just had to come back and comment again here (as Symentec do not allow for comments
).
From Symentecs Recommendations:
“Disable AutoPlay” – really… on Android?!?
“restore the computers using trusted media”
Symentec, check your boiler plate text is appropriate if your going to cut-and-paste security recommendations.
Another gem was “Steal build information”. Wow, as a developer I never knew I was “stealing” this information, I thought I was using it to detect the expected capabilities but I must be mistaken.
[...] even if most of them are apps you probably wouldn’t be caught downloading. [Symantec, Lookout, thanks to everyone who sent this [...]
[...] Lookout Mobile Security disagrees with Symantec’s findings, stating that the Apperhand SDK is an aggressive form of ad network and [...]
[...] Security doesn’t think that this differentiated behavior means it’s a malware attack. They posted a blog over the weekend explaining their reasons for disagreeing with Symantec’s assessment, saying [...]
[...] Lookout, outra empresa de segurança, liberou outro aviso dizendo que não é bem [...]
[...] la fuente también informan que otra firma de seguridad piensa diferente de Symantec y que estos programas no contienen virus, sino una forma diferente y agresiva de publicidad llamada [...]
[...] Security doesn’t think that this differentiated behavior means it’s a malware attack. They posted a blog over the weekend explaining their reasons for disagreeing with Symantec’s assessment, saying [...]
[...] another mobile security firm, Lookout, says “Apperhand” isn’t malware at all: instead, they believe it’s an “aggressive form of ad network” that doesn’t [...]
@Wright PC, thanks for reaching out. While Apperhand gives no evidence of outright malicious behavior, we believe that ad networks should be more transparent as to the data they are gathering and have a clear opt-out for users. We’re actively working on a way to help users understand whether applications have potentially undesirable behavior such as this while not creating unnecessary worry. Stay tuned!
Call it what you want. Here’s my question: Will either Lookout or Symantec stop it from loading, warn me before I install infected software, or warn me immediately after and help me get rid of it?
[...] hat Lookout Security diese Meldung zum Anlass einer eigenen Analyse genommen und das Urteil von Symantec relativiert – es handele sich zwar nicht um Malware, aber [...]
[...] Cue panic.Except: there’s no reason to panic.Right away the makers of Lookout Mobile Security called shenanigans on Symantec’s labeling of the “Android.Counterclank” Apperhand SDK malware. It [...]
[...] and ability to send personal data through a network connection. Now rival security software vendor Lookout Mobile Security claims that Symantec’s post was overblown, and that the code executing in the 13 apps identified [...]
[...] activity going on here, just shady advertising techniques. A post on Lookout's blog breaks down what they see going on with Apperhand code inserted in the 13 applications. While they found that there's no real threat to worry over, the [...]
[...] Lookout Mobile Security, which specialises in mobile and the Android sector, disagrees: “We disagree with the assessment that this is malware, although we do believe that the [...]
[...] claim was later disputed by the team from Lookout in a blog post that gives more details about the functionality of an advertising framework included with the [...]
To be honest, I think you’ve got the wrong end of the stick here.
How can changing browser home pages, placing desktop shortcuts, and _removing_ a person’s bookmarks be anything but criminal malware activity?
I’m a new Android customer, and I was all ready to believe Lookout would be doing the job for Android which Symantec finally settled down to do for Windows.
I would hardly pay you to take the rogue advertiser’s wishes to not defend me. Changing anything on my tablet is way out of bounds, and what we do pay security defenders to eliminate.
That is for anyone in a family, just to open up your thinking. Do you want advertisers manipulating your own children or elder parents, by changing what is on their desktop or in favorites?
Don’t throw your opportunity away. Change your policy on (for heaven sakes, what a name) Apperhand/CounterClank to begin recovering your opportunity.
Who is going to stop you for acting in a fair and customer-responsible way??
Regards,
WisdomWouldAttract
A further thought, as you’re awaiting moderation on my first comment.
Since you agree that many of the things CounterClank can do are against the spirit of decent behaviour by advertisers, why not simply give the choice to those who pay for your anti-malware monitor?
For example, there can be clear configuration checkboxes to prevent pushing shortcuts and bookmarks and any other form of puahed content. There can be the same for _removing_ bookmarks, etc., and for identifying the customer platform in any personally-connectable way.
It seems this would be much better policy than Lookout trying to define what customers want or don’t want in the way of protection, doesn’t it?
Regards again…
As a Lookout Premium customer I want to say that this issue should be taken a LOT more seriously. While I might not disagree that this is not a “virus” it is certainly at least pushing the envelope of malware. This kind of thing should be blocked by default and allow through some kind of escalation or configuration option.
While I think that the Symantec security bulletin was self-serving I am afraid your response is self-serving as well.
Make sure your tool gives unambiguous, bullet-proof protection.
@Victor, Eric, Seth, and WisdomWouldAttract, thanks very much for your feedback. We’ve heard from a number of our users that they are confused by some of the ads being served to them on their phones. Often these ads can be misinterpreted as malware. To give you more insight into which ad networks are present on your device, our Lookout Labs team just released an early version of new app called Push Ad Detector. Push Ad Detector scans your device for the presence of a select number of ad networks that are capable of displaying out-of-app advertisements. The goal of the app is to give you insight and more control over the ad networks running on your smartphones. You can download the Push Ad Detector directly from the Android Market: https://market.android.com/details?id=com.lookout.addetector. If you have other questions/comments, please send them our way: feedback@mylookout[dot]com. Thank you!
[...] Lookout | My Lookout Blog [...]
[...] Mobile Security pronounced a SDK in doubt was unequivocally an assertive ad network called “Apperhand” that placed a hunt idol on your mobile desktop though your permission, and pushed ads by a [...]
[...] Lookout Mobile Security said the SDK in question was really an aggressive ad network called “Apperhand” that placed a search icon on your mobile desktop without your permission, and pushed ads [...]