Skip to main content

    Symantec clarifies Counterclank malware claim on Android, no longer calls it malware

    Symantec clarifies Counterclank malware claim on Android, no longer calls it malware


    Symantec has gone back on its earlier claims of a supposed malware app, Android.Counterclank, having infected as many as five million devices.

    Share this story

    If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

    Symantec Android.Counterclank
    Symantec Android.Counterclank

    Late last week, Symantec — which makes security software for desktop and mobile platforms — put out a warning over "malicious code" found in 13 apps in the Android Market which it said "can receive commands to carry out certain actions, as well as steal information from the device." It dubbed the supposedly malicious payload "Android.Counterclank," saying that it had reached somewhere between one and five million devices — "the highest distribution of any malware identified so far this year." Rival security firm Lookout was quick to temper Symantec's claim saying that Counterclank isn't malware, per se, it's just an "aggressive" ad SDK designed to help apps (usually free ones) monetize. It has some capabilities that most users would find unpleasant (sending ads as push notifications, for instance), but it simply doesn't meet the typical benchmark for malware — it doesn't exist with the goal of trying to steal users' data, and it's not trying to compromise devices in an illegal or fraudulent way.

    Now, Symantec's backtracking on its earlier language in an updated blog post that details Counterclank's capabilities, which in part reads:

    The situation we find ourselves in is similar to when Adware, Spyware, and Potentially Unwanted Applications first made appearances on Windows. Many security vendors did not initially detect these applications, but eventually, and with the universal approval of computer users, security companies chose to notify users of these types of applications.

    In other words, Symantec is feeling its way through this — and as Lookout admits, Counterclank's behavior is on the hairy upper end of what you'd consider acceptable before you start dipping your toe in malware territory. Nowhere does Symantec admit that it shot first and ask questions later, though; it just simply doesn't refer to the SDK as "malware" or "malicious" anymore. It does say that it asked Google to remove Counterclank-enabled apps from the Market, Google refused, and that it "expects" those kinds of situations to happen from time to time:

    We have also submitted a ticket to Google for the removal of Counterclank from the Android Market. Google replied quickly informing us the applications met their Terms of Service and they will not be removed. We expect in the future there may be many similar situations where we will inform users about an application, but the application will remain in the Google Android Market.

    As a security firm selling antivirus suites, Symantec will always have something to gain by instilling a certain level of fear in users of every platform that it services — Counterclank is no exception — but as it seems to have learned, there's still a critical gap between "annoying" and "malicious" that it needs to respect. Meanwhile, for Google, the eternal question remains: should it be curating the Market?