Lookout: Our Take on the ‘Apperhand’ SDK (aka ‘Android.Counterclank’)

Via Lookout Mobile Security Blog -

Today, news came out that claimed a particular family of malware, termed ‘Android.Counterclank’, had infected 5 million users. We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously.

This isn’t malware.
The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior. In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.

Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud.

Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware.

We’re researching ad networks closely.
We spend a significant amount of time looking not just at mobile apps, but also at SDKs that are commonly integrated into apps. We’ve recently been focusing heavily on the capabilities of various mobile advertising SDKs. We believe that ad networks are important for the overall mobile ecosystem; however, some advertising networks go beyond the commonly accepted behavior of ad networks with more aggressive tactics.

This particular ad network SDK, com.apperhand, bears similarities to one previously distributed in a number of apps in June of 2011 as the “ChoopCheec platform” or “Plankton”.

[...]

We’re continuing our investigation.
At this point, it appears that what we’re seeing is an example of an ad network that pushes the lines of privacy. Over the past few months we have been closely tracking this, and we are seeing a trend of this type of behavior. While this is not malware, we do think that consumers should take it seriously, and we’re actively working on a solution to help users understand whether applications have potentially undesirable behavior such as this while not creating unnecessary worry.