Lookout Security rebuts rival's Android malware claims

Symantec sees malicious behavior, but Lookout credits ad network supporting free Android apps

Researchers from Lookout Security disagreed with rival Symantec that 13 apps on the Android Market were malicious, instead saying that they showed the same behaviors as other ad-supported apps.

Earlier today, Symantec's Kevin Haley, a director with the company's security response team, said that 13 apps, some available in Google's official download store for at least a month, were created to distribute "Android.Counterclank," a Trojan that, among other things, modifies the browser's home page and bookmarks, and inserts a search icon that some users have said is impossible to delete.

Symantec estimated the number of downloads of the 13 apps at between 1 and 5 millions, prompting it to call the campaign the largest Android malware outbreak ever.

Lookout researchers disagreed.

"This is pretty clearly an ad[vertising] network that's similar to other ad networks," said Tim Wyatt, a principal engineer with Lookout, which markets a popular Android-specific security app.

Wyatt declined to identify the network he said was being used by the 13 apps -- which originate from three different publishers -- and that requests the permissions and exhibits the behavior Symantec dubbed malicious.

"This ad network does have the capability to enter bookmarks in your browser, which is different from other ad networks," Wyatt continued. "But a lot of its functionality is being embedded in other apps. Part of the business model of the company that owns the ad network is to add search conducted from apps."

Wyatt wasn't ready to call the apps' bookmark modifications over-the-line conduct, however, saying that Lookout is still investigating the 13 apps, as well as others that relied on different advertising networks for generating revenue for their free programs.

"I can tell you that this code [seen in the 13 apps] is not the only code for doing things like this," said Wyatt. "There are 10-plus ad networks that we track that have the same functionality."

Wyatt said that Symantec had "significantly overblown" the story by labeling the apps as Trojan-infected, and added that its rival had been "a bit premature" in coming to its conclusions.

Symantec did not respond to a request for comment on Lookout's assertions.

The debate over what is and what is not malware on Android is reminiscent of the argument years ago between security companies and developers over the term "adware," a software category that the former believed malicious enough to detect and delete, and that the latter saw as relatively harmless.

The dispute over adware -- and to a much lesser extent over the label "spyware" -- eventually led to several court cases. Currently, most security software detects adware as malicious or unwanted.

Last year, Wyatt said, Lookout had studied "Tonclank," code that Symantec said was the precursor to Counterclank, and determined that it, too, was not malicious per se, but instead spyware.

Information about Tonclank was first published by Xuxian Jiang, an assistant professor in computer science at North Carolina State University, whose team named the code "Plankton" and used the term "botnet" to describe it.

"We thought it was spyware, but then we decided it was a prototype ad network that crosses the line into spyware," said Wyatt. "Since then, [the ad network] has pulled back from that."

"We have been looking at exactly this type of behavior," added Derek Halliday, a Lookout senior security product manager, referring to Counterclank. "We understand that this type of behavior can be confusing to the average user, but Symantec is inflating that confusion with messages that it's malware."

Wyatt, too, was firm in his belief that apps containing Counterclank are not malicious.

"This does raise questions about what's acceptable behavior for apps, but I think it's fair to say that [these apps] aren't exhibiting any maliciousness," Wyatt said. "If you do, you're getting ahead of yourself."

Both Wyatt and Halliday said that Lookout's investigation into Counterclank-using apps is ongoing, and they promised the company would issue a report on them in the upcoming weeks.

Google declined to comment on Symantec's claims and Lookout's rebuttal.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

Copyright © 2012 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon