January 27, 2012

Lookout’s take on the ‘Apperhand’ SDK (aka ‘Android.Counterclank’)

Today, news came out that claimed a particular family of malware, termed ‘Android.Counterclank’, had infected 5 million users. We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously.

This isn’t malware.
The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior. In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.

Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud.

Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware.

We’re researching ad networks closely.
We spend a significant amount of time looking not just at mobile apps, but also at SDKs that are commonly integrated into apps. We’ve recently been focusing heavily on the capabilities of various mobile advertising SDKs. We believe that ad networks are important for the overall mobile ecosystem; however, some advertising networks go beyond the commonly accepted behavior of ad networks with more aggressive tactics.

This particular ad network SDK, com.apperhand, bears similarities to one previously distributed in a number of apps in June of 2011 as the “ChoopCheec platform” or “Plankton”.  Early incarnations of this SDK crossed several privacy lines in the data it collected about users, but the current version does appear to have cleaned up its act somewhat. That said, the current SDK has several capabilities that are common to many ad networks:

  1. It is capable of identifying the user uniquely by their IMEI, for instance, but unlike some networks this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data.
  2. The SDK has the capability to deliver “Push Notification” ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
  3. The SDK drops a search icon onto the desktop. Again, we consider it bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe.  In this case, it is simply a link to a search engine.
  4. The SDK also has the capability to push bookmarks to the browser.  In our opinion, this crosses a line; although we do not believe this is cause to classify the SDK as malware.

Of the applications that were originally identified as malicious, a subset of them have subsequently been pulled from the Android Market. However, it’s important to note that this does not include all identified applications, and reasons for removal may also include content, copyright, or other violations of the Android Market’s Terms of Service.

We’re continuing our investigation.
At this point, it appears that what we’re seeing is an example of an ad network that pushes the lines of privacy. Over the past few months we have been closely tracking this, and we are seeing a trend of this type of behavior. While this is not malware, we do think that consumers should take it seriously, and we’re actively working on a solution to help users understand whether applications have potentially undesirable behavior such as this while not creating unnecessary worry.

Lookout believes in educating our users about the apps that they’re installing. We’ll have more to share about what we’re working on in this area in the coming weeks – stay tuned.

If you have questions, please comment or write us.


  1. Vess says:

    The thing, apparently, not only adds bookmarks; it also changes the home page of the browser.

    Most users won’t care about the fine points between “malware”, “adware” and “spyware”. It’s all the same to them – “stuff I don’t want on my phone, so please detect and remove it”.

  2. Wright PC says:

    While most of us hate ads, the ad supported app development model is a legitimate way for developers to get compensated.

    Having said that, the question then becomes where do we draw the line in the sand between acceptable and not? As with most things, in the end consumers will decide with the guidance of Lookout and other experts.

    • Amy says:

      @Wright PC, thanks for reaching out. While Apperhand gives no evidence of outright malicious behavior, we believe that ad networks should be more transparent as to the data they are gathering and have a clear opt-out for users. We’re actively working on a way to help users understand whether applications have potentially undesirable behavior such as this while not creating unnecessary worry. Stay tuned!

  3. mike cunningham says:

    So, you are “investigating”.

    While you investigate why don’t you give us users a warning and/or an option to delete this crapware, malicious or not. Now that’s the kind of advanced feature that is going to get you paying customers… hint hint.

    I suppose you may be concerned about offending app vendors?

  4. Victor Weinrich says:

    I’ve been a very happy Lookout customer, but I have to say that the Apperhand situation, and your response to it so far, has me concerned.

    While its characteristics may not satisfy your precise definition of malware, it really comes at least very close to that line, and as a customer of Lookout Premium on my Android devices, I want to be protected, or at least be informed when aberrant or undesirable capabilities are in any app that I am in the process of installing. Perhaps user selectable options in the Lookout app which would allow us to personalize the level of protection/notification that we want in our devices would be helpful.

    • Amy says:

      @Victor, Eric, Seth, and WisdomWouldAttract, thanks very much for your feedback. We’ve heard from a number of our users that they are confused by some of the ads being served to them on their phones. Often these ads can be misinterpreted as malware. To give you more insight into which ad networks are present on your device, our Lookout Labs team just released an early version of new app called Push Ad Detector. Push Ad Detector scans your device for the presence of a select number of ad networks that are capable of displaying out-of-app advertisements. The goal of the app is to give you insight and more control over the ad networks running on your smartphones. You can download the Push Ad Detector directly from the Android Market: https://market.android.com/details?id=com.lookout.addetector. If you have other questions/comments, please send them our way: feedback@mylookout[dot]com. Thank you!

  5. PuZZleDucK says:

    Ha, as a user who checks out permissions… I’d already dodged this bullet (“push bookmarks” was a bridge too far for a standalone app), but thanks Lookout for conveying the true nature of this beast and congratulations on resisting the temptation of labeling everything possible as a ‘virus’.

    Symantec deserve their status four pages lower than yours in my search for information on apperhand.

  6. PuZZleDucK says:

    Just had to come back and comment again here (as Symentec do not allow for comments :P).

    From Symentecs Recommendations:
    “Disable AutoPlay” – really… on Android?!?
    “restore the computers using trusted media”

    Symentec, check your boiler plate text is appropriate if your going to cut-and-paste security recommendations.

    Another gem was “Steal build information”. Wow, as a developer I never knew I was “stealing” this information, I thought I was using it to detect the expected capabilities but I must be mistaken.

  7. Glimby says:

    It does not matter one jot whether the behaviour is malicious or not. Trojan is as Trojan does. This piece of toiletware is not relevant to the application being installed, it is not announced and it is not wanted and its purpose is to do perform unwanted operations. It is, by definition a trojan. End of.

    Now just let me break the fingers of the little shit that coded it and the equally odious bastard that wanted to distribute it.

  8. Eric says:

    Call it what you want. Here’s my question: Will either Lookout or Symantec stop it from loading, warn me before I install infected software, or warn me immediately after and help me get rid of it?

  9. […] claim was later disputed by the team from Lookout in a blog post that gives more details about the functionality of an advertising framework included with the […]

  10. WisdomWouldAttract says:

    To be honest, I think you’ve got the wrong end of the stick here.

    How can changing browser home pages, placing desktop shortcuts, and _removing_ a person’s bookmarks be anything but criminal malware activity?

    I’m a new Android customer, and I was all ready to believe Lookout would be doing the job for Android which Symantec finally settled down to do for Windows.

    I would hardly pay you to take the rogue advertiser’s wishes to not defend me. Changing anything on my tablet is way out of bounds, and what we do pay security defenders to eliminate.

    That is for anyone in a family, just to open up your thinking. Do you want advertisers manipulating your own children or elder parents, by changing what is on their desktop or in favorites?

    Don’t throw your opportunity away. Change your policy on (for heaven sakes, what a name) Apperhand/CounterClank to begin recovering your opportunity.

    Who is going to stop you for acting in a fair and customer-responsible way??


  11. WisdomWouldAttract says:

    A further thought, as you’re awaiting moderation on my first comment.

    Since you agree that many of the things CounterClank can do are against the spirit of decent behaviour by advertisers, why not simply give the choice to those who pay for your anti-malware monitor?

    For example, there can be clear configuration checkboxes to prevent pushing shortcuts and bookmarks and any other form of puahed content. There can be the same for _removing_ bookmarks, etc., and for identifying the customer platform in any personally-connectable way.

    It seems this would be much better policy than Lookout trying to define what customers want or don’t want in the way of protection, doesn’t it?

    Regards again…

  12. Seth Spearman says:

    As a Lookout Premium customer I want to say that this issue should be taken a LOT more seriously. While I might not disagree that this is not a “virus” it is certainly at least pushing the envelope of malware. This kind of thing should be blocked by default and allow through some kind of escalation or configuration option.

    While I think that the Symantec security bulletin was self-serving I am afraid your response is self-serving as well.

    Make sure your tool gives unambiguous, bullet-proof protection.

  13. WisdomWouldAttract says:

    Amy, let me say what this episode and your extra software have meant to me.

    I tried your Ad Detector. It seems to operate easily, and says I have no apps which will push advertisements. I appreciate this.

    However, your company attitude at present, just as Seth observes, is not on my side. It is, for reasons I don’t understand, still saying that placing bookmarks, placing shortcuts, and placing push ads is ‘ok’.

    You give me the chance to manually detect one of these, which is not at all the same thing as giving automatic protection for me, or those of my family. And it is not protecting at all against shortcuts, etc..

    The protection for all spam, confusions, and worse should instead be build in to your product, and your principles, which we depend on. If I like to have push ads etc., then I could choose to turn it off.

    Now, because of your unsafe principles, I am trying Norton Security and Antivirus on the Android instead.

    I don’t know why you want to be on the side of the less than good players among advertisers. Wny be soft here?

    Change that position and how your software works, and then there can be interest in Lookout again.

    Thank you and regards.

  14. Quality articles or reviews is the main to invite the visitors to pay a visit the site, that’s what this site is providing.

  15. Spook Murphy says:

    Lookout’s analysis on this issue is a tell. What motivates Lookout to reach this disarming conclusion? They are taking $ from both sides, the user and the ad pusher. This is nothing more than a betrayal of trust.

  16. JARMEZ says:

    Hey Lookout, this stuff still seems to be going on. What is happening as far as I can tell is that developers are not conscious of the magnitude of their actions (OR they are and that is being very sinister) .
    Take this scenario for instance. A developer puts up a free version of their app. And after sometime they embed ads into the release version and it is pushed out to millions of users world wide. Instantly things become profitable compared to offering it for free with ads straight up right? Note: Last year experts were saying that the users are willing to go with free versions of apps for the sake of ads?
    So say this updated version is automatically pushed to your device. I am disabling automatic update on Google Play store for this very reason
    I am going to give Lookout another go again after Avast did not detect some apps:

    See my analysis here:http://forum.xda-developers.com/showthread.php?t=2320533

Leave a comment