Last week, we posted a blog informing Android users of the discovery of new versions of Android.Tonclank, which we have named Android.Counterclank. The blog generated a bit of discussion over whether these new versions should be a concern to Android users. When classifying applications, our focus is on whether users want to be informed of the application's behavior, allowing them to make a more informed choice regarding whether to install it.
The situation we find ourselves in is similar to when Adware, Spyware, and Potentially Unwanted Applications first made appearances on Windows. Many security vendors did not initially detect these applications, but eventually, and with the universal approval of computer users, security companies chose to notify users of these types of applications.
Since our initial blog post, we have determined the code in the Tonclank and Counterclank applications comes from the same vendor. The vendor is a company who distributes a SDK (software development kit) to third parties to help them monetize their applications, primarily through search.
In particular, the SDK code will connect to a remote server (apperhand.com) and send the following information:
- A SHA1 hash of device information (such as IMEI) to uniquely identify the installation
- Information to identify the application using the SDK
- Device information such as the brand, manufacturer, model, and Android OS version
- Display metrics such as screen size and resolution
- Language preference
- Browser user agent
After receiving this information, the code will wait for a command. Commands of interest include:
ACTIVATION – Causes a webpage to be displayed. The feature appears to be designed to display a webpage with a EULA (end-user license agreement), but our testing was unable to reproduce applications showing such a page.
HOMEPAGE – Sets the browser’s homepage.
BOOKMARKS – Create or request bookmarks. In our testing, we have seen this feature actively used to send all the bookmarks of a device to apperhand.com
SHORTCUTS – Create shortcuts on the home screen.
The homepage, bookmarks, and shortcuts may be sent to the following domain:
http://searchwebmobile.com/search?sourceid=1&app=[UNIQUE APPLICATION ID]
Searchwebmobile.com belongs to a third party, Infospace, who provides monetary compensation to applications redirecting search queries through their website.
Additional commands also exist, but do not have direct security and privacy implications. Further, different versions of the SDK have been created with new commands which have not been fully examined. The analyzed applications did not provide in-app notification of these behaviors and the bookmarks, shortcuts, and homepage modifications do not specify the application behind the change or the responsible company. The SDK provider's website does state they require application developers to place a notification in the Android Market description noting that the application will modify the homepage, create a bookmark, and create a shortcut to a search site. Those notifications did not include information on the exfiltration of bookmarks.
Due to the combined behavior of the applications, negative feedback from users who installed the applications, and the fact that previous applications (Android.Tonclank) using this code were initially suspended from the Google Market, we chose to notify users of Counterclank.
We have also submitted a ticket to Google for the removal of Counterclank from the Android Market. Google replied quickly informing us the applications met their Terms of Service and they will not be removed. We expect in the future there may be many similar situations where we will inform users about an application, but the application will remain in the Google Android Market.
We are also in discussions with the SDK provider and hope to provide feedback which helps ensure mobile users have the necessary details to make informed choices.
The mobile ecosystem is growing rapidly and many monetization paradigms are being explored. At Symantec, we follow these developments closely while actively developing new technologies to cater to the variety of applications available and the differences in users' preferences and tolerances for certain behaviors. Through such technology, we hope to avoid the pitfalls of labels such as malicious, spyware, and adware, and instead provide methods to automatically inform users of undesired applications based on their personal preferences. We hope this future technology will encourage a vibrant mobile ecosystem and, at the same time, keeps users safe.