“Android is terrifying,” ESET’s David Harley told Infosecurity almost a year ago. His concern was that the open source nature of the platform and the Android app market allows almost anyone to develop and distribute almost anything they want.
Now his concern is proven. Symantec claims that virus Android.Counterclank has infected between 1 million and 5 million Android users, “and may well be the largest infection on Android in its short career.” Counterclank is a modification of the existing Tonclank malware. It can be controlled remotely and is primarily used to steal information.
Counterclank is a trojan being distributed primarily as malware attached to Android games, although there seems no reason for it not to be attached to almost any popular download. The malicious code is grafted on to the application in a package called ‘apperhand’. Symantec explains that when the package is executed, a compromised Android will show a service running with the same name. “Another sign of infection,” it adds, “is the presence of the Search icon above on the home screen.”
A list of 13 infected apps is published on Symantec’s site, and it promises to add more as it discovers them. If you have downloaded one of these apps, the advice is to remove it and run an anti-malware program.
The problem is largely thought to be indicative of more to come. “Without a middleman to ensure consumers can trust the applications being downloaded, expect these type of incidents to grow and continue,” comments Imperva’s Rob Rachwald. “Google may need to rethink their distribution model for apps.” It is a problem that the European Network and Information Security Agency (ENISA) highlighted in its report: Appstore security – 5 lines of defence against malware. One of the five recommendations specifically suggests app review prior to availability.
This attack was targeted through the official Android Market; but as Marnix Dekker, application security officer at ENISA, says, “It would be easy to set up a rogue appstore, run it from some obscure country, fill it with some infected apps. It would also be relatively easy to trick users into installing from there.”