Monday, January 30, 2012

Android.Counterclank: Malware or Adware?

This weekend I noticed a ComputerWorld article titled "Massive Android malware op may have infected 5 million users". After reading, it seemed to be exactly the sort of thing many people have been suggesting - an increasingly large-scale outbreak of malicious activity in the Android market, as malware authors saw larger numbers of potential targets. After forwarding the article to my VRT colleagues, we quickly got copies of the few apps that Google hadn't already pulled - specifically, the files com.redmicapps.puzzles.ladies2_v1.02.apk, com.redmicapps.puzzles.ladies3_v1.02.apk, and com.christmasgame.deal_v1.0.1.apk. Eager to see how bad the damage was, we sat down to analyze them yesterday morning.

Some initial static analysis by Alain Zidouemba seemed to confirm what Symantec was saying in its writeup. Not only did the URLs mentioned there appear in the code, the testGetUserID() function pulled the exact information listed in the Symantec writeup:

Dynamic analysis inside the Android emulator was equally promising at first. Within seconds of installation, an HTTP POST to appeared, and a slew of data was sent off in plaintext:

○ {"initiationType":"first time","needSpecificParameters":true,"applicationDetails":{"abTests":null,"applicationId":"212546654","build":{"brand":"generic","device":"generic","manufacturer":"unknown","model":"sdk","os":"Android","versionRelease":"2.3.3","versionSDKInt":10},"developerId":"987550925","deviceId":"wCxwXphYj3JMoEasWcr+zmVQHjY=","displayMetrics":{"density":1.5,"densityDpi":240,"heightPixels":800,"scaledDensity":1.5,"widthPixels":480,"xdpi":240.0,"ydpi":240.0},"locale":"en_US","protocolVersion":"1.0.6","sourceIp":null,"userAgent":"Mozilla/5.0 (Linux; U; Android 2.3.3; en-us; sdk Build/GRI34) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"},"parameters":{}}

The response that came back made it clear that a unique installation was being tracked:


Subsequent requests to this URL showed a successful activation, and later returned a "SEARCH URL" of "{$CATEGORY$}?sourceid=7&app=4Ek2WZkCbw1Yw9VS%2F6q9D8zE67pPruhMY4SiC6pvyUzqgGNpf%2FjIrlCBA7Bp03eF9wSiv%2FHkJK%2FvkoMTkeCPaA%3D%3D&q={$QUERY$}", which again backed up the Symantec threat report. Figuring we were on to something, we let the malware run, interacting with it as a normal user would (i.e., by playing the games).

The problem was, nothing all that interesting ended up happening. Across the two distinct applications (the two "ladies" puzzles behaved essentially identically), nothing more than a series of advertising-related requests occurred in the background:

  • A POST to with some device information, which a quick Google search showed was related to mobile ads

  • Several POSTs to that contained snippets of data that appeared to be related to the game in progress; visiting the home page redirected us to a jigsaw puzzle game on the Android market

  • A POST to that contained data about the Android version, country and timezone of the user, etc.; this appears to be related to a Chinese mobile analytics tool

  • GET requests for URLs on and, which both returned advertising content

At this point, we started to wonder whether these apps were really malicious, or just using obnoxious ad networks. Going back and re-examining the data from the requests, we realized that the data was essentially all information an ad provider would find useful: everything from device version to screen size, and an ID that would be useful to track which host was clicking on which ad. From there, we started doing some digging to understand what exactly happens in the world of mobile advertising, and whether this was out of the norm.

We quickly ran across a blog post from Mobclix - one of the advertisers we'd seen in the packet captures - discussing the need for unique IDs in targeted ads. That rendered the most suspicious piece of the data largely moot in our opinion.

Digging a little further, we noticed that Lookout Mobile Security had actually put together a blog post the same day as the ComputerWorld article, refuting Symantec's claim that Counterclank was malware and insisting it was simply obnoxious adware. For instance, they noted that sending off IMEI data - used to uniquely fingerprint modern mobile phones - is common across multiple networks, but that the Apperhand SDK used by Counterclank actually went to the trouble of hashing that value before sending it along to preserve privacy. Looking at the code, this was easy to confirm:

The Lookout report, like Symantec's, noted that Apperhand appears to be based on another SDK known as Plankton, which was much less concerned with user privacy and much more pushy about its ad behavior. This seems to be confirmed by the way these new files are detected by some AV vendors: of the 11 vendors listed in the VirusTotal report that detect the "ladies3" app, four call it some variant on "Plankton", three a variant of "Counterclank", and the remaining four have miscellaneous or generic labels for it. Given that all the reports we've seen thus far describe Apperhand as a kinder, gentler version of Plankton, it seems likely that that SDK may simply be an advertising setup that's not good at respecting user boundaries.

So what's the VRT take on this, you ask? We think it's pretty clear you don't want any of these apps on your phone. Not only do they send out data that may make you uncomfortable to ad networks you have control over, they're actually poorly written anyway - for example, the "Deal & Be Millionare" game didn't even bother to rotate for proper screen orientation:

That said, we think this falls into they gray area of "crappy adware" more than being outright malware. This SDK certainly could use further scrutiny, as do any of the other more pushy advertising setups on mobile phones. Barring further evidence, though, it just doesn't seem to rise to the threshold of other apps that commit SMS fraud, have clear command and control channels, etc.

Since we're not the final authority on the matter, though, we're going to make it easy to decide for yourself how you feel about these apps. We're providing a signature in today's SEU that will detect the POST requests sent to the Apperhand site, and we encourage you to take a look at our packet captures (here and here) to see the raw data yourself. There's also ClamAV coverage under the name Andr.Plangton-12. After all, it's your network, so why shouldn't you be able to defend it, even from crappy adware?

Thursday, January 5, 2012

A New Hope

Rep. Mike Rogers (R-MI) and Rep. Dutch Ruppersberger (D-MD) know a secret:  The Federal government is REALLY good at watching people, much better than, say, the private sector.  So they asked themselves (at least they did in my mind), "Why not share some of that information in order to protect American businesses from the ubiquitous cyber-security threat?"

Hey guys…that’s a damn good idea!

Seriously, I thought it was a great idea.  So it was with a good deal of enthusiasm that I printed out H.R. 3523, or to use its more sexy name, the “Cyber Intelligence Sharing and Protection Act of 2011”.[1]  There are only 11 pages, a lot of it standard language stuff, but it essentially lays out that the governement can share with the private sector and vice versa.  Of course, it's never that simple.  For example, the NSA can only share with cleared organizations that can demonstrate they know how to handle classified information.

There is also the small matter of the following statement from the proposed legislation:  "classified cyber threat intelligence may only be … shared consistent with the need to protect the national security of the United States.”  Which, of course, leaves one giant question:  What, exactly, constitutes a threat to national security?

There are, of course, the obvious…terrorists, nuclear proliferation, hostile foreign nations, and the like.  But that isn’t what Rogers and Ruppersberger are thinking here.  They are, according to Mike Rogers, targeting “economic predators, including nation-states, [that] are blatantly stealing business secrets and innovation from private companies.” [2] So we aren’t talking missiles, bombs and airplanes, we’re talking, potentially, about contract negotiations, natural resource surveys and customer lists.

A recent report [3] by the Office of the National Counter Intelligence Executive (ONCIX) states that “Losses of sensitive economic information and technologies to foreign entities represent significant costs to US national security.”  Clearly, this administration, and apparently this congress, are adopting the position that jacking with U.S. companies jacks with the national security.  Given the nature of the world today, I think they're right to do so.

I know...I'm not well known for staunchly backing the ideas of legislators or administrators.  You wouldn't be blamed for thinking I’m a cynical, pessimistic nutter who lived by himself in a wooden hut, eating nothing but pickled ginger and gummy bears while spending his day ranting about the overly generous nature of most computer networks.[4]  But this time -- and I do have trouble saying this -- I think they’re on to something.  The private sector just isn't in a position to match the federal government's ability to generate intelligence.  In fact of all the things the government could provide in the forms of mandates, laws, policies, rules, reporting requirements, CISSP factories, etc... intelligence is really the only thing that makes sense.  It's the only thing that they can provide that industry can't legitimately generate itself.  I think this is a really good piece of legislation.

Of course, there are lots of ways to screw it up, and I'm sure that some of those ways will be found.  But if we get into the habit of having the government share information and letting organizations figure out how to act on the information, we'll be headed down a very good path.

[4] And nothing in this blog post would prove you wrong…