Last week Symantec made headlines, claiming that somewhere between 1 million and 5 million Android users had been infected with a particular kind of malware identified as Android.Counterclank. In an alarming blog post, the security software retailer notes Android.Counterclank's overly broad permissions and ability to send personal data through a network connection. Now rival security software vendor Lookout Mobile Security claims that Symantec's post was overblown, and that the code executing in the 13 apps identified is overly aggressive adware, not malware.
According to Lookout, the Apperhand package is the common code running in al l13 offending apps. Once executed it places a search icon on the Android home screen which links exclusively to partner ad websites. Lookout disagrees with Symantec's assessment that the relevant apps qualify as "malware", though they do say that most Android users wouldn't want the ads running on their phone or tablet. Syamntec is sticking with its classification. The ad network identifies individual phones via IMEI number, pushes ads to the phone (as if they were SMS or email messages) and drops bookmarks into users' browser apps, but Lookout still does not consider this "malicious" activity.
What we have here is a battle of interpretation. Symantec classifies the apps as malware based both on their observed activities and their capabilities - namely, the possibility that the apps can send personal information through an otherwise necessary Internet connection. Lookout disagrees, asserting that Symantec's original claims were overblown. While Symantec's post is certainly self-serving, it doesn't appear deceitful - they outline the capabilities of the Android.Counterclank API and why users should be worried. However, since not all of the 13 apps originally identified by Symantec have been removed form the Android Market by Google, users can assume that whatever objectionable content is to be found in their code does not constitute "malware" by Google's definition.