What may be the largest ever malware campaign against Android users have been uncovered. The malware discovered was packaged in 13 different apps from three different publishers, and found in Android Market. Dubbed “Android.Counterclank” by Symantec, the attack seems to take a different tactic compared to the more common “repackaging method”. This practice involves repackaging a legitimate app with attack code, then re-release it to the marketplace in the hope that users will confuse the infected version with the real deal. “These aren’t rebundled apps, as we’ve seen so many times before” said Kevin Haley, a director with Symantec‘s security response team.
The 13 different applications have titles ranging from “Sexy Girls Puzzle” to “Counter Strike Ground Force”, and many of the infected apps were still available on the Android Market as of 3 p.m. ET Friday. Symantec estimated the impact by combining the download totals of the 13 apps, arriving at a figure between 1 million on the low end and 5 million on the high. “Yes, this is the largest malware outbreak on the Android Market” said Haley.
Android.Counterclank is a Trojan horse that when installed on an Android smartphone collects a wide range of information, including copies of the bookmarks and the handset maker. It also modifies the browser’s home page. The hackers have monetized the malware by pushing unwanted advertisements to compromised Android phones.
Although the infected apps request an uncommonly large number of privileges, and this is something the user must approve, few people seem to bother reading what privileges are requested, before giving their okay. “If you were the suspicious type, you might wonder why they’re asking for permission to modify the browser or transmit GPS coordinates,” said Haley. “But most people don’t bother.”
All 13 suspected apps are free for the downloading and some of the apps that Symantec identified as infected have been on the Android Market for at least a month, based on the revision dates posted on the e-store. Symantec, however, discovered them only yesterday. Symantec have now published a list of the 13 infected apps on its website.
