New Android malware operation may have affected 5M users

A new massive malware operation targeting devices running Google's Android OS may have infected five million users, a computer security firm said over the weekend. Symantec said the victims may have downloaded infected apps from no less than Google's Android Market, according to a report on PC World. "Yes, this is the largest malware [outbreak] on the Android Market," PC World quoted Kevin Haley, a director with Symantec's security response team, as saying in an interview. "They don't appear to be real publishers. These aren't rebundled apps, as we've seen so many times before," he added. Haley referred to a common tactic by Android malware makers to repackage a legitimate app with attack code, then re-release it to the marketplace in the hope that users will confuse the fake with the real deal. Symantec dubbed the attack as "Android.Counterclank," where the malware was packaged in 13 different apps from three different publishers. The app titles ranged from "Sexy Girls Puzzle" to "Counter Strike Ground Force." Many of the infected apps were still available on the Android Market as of 3 p.m. ET Friday, PC World said. Symantec estimated the impact by combining the download totals, which the Android Market shows as ranges, of the 13 apps, as between one and five million. The "Android.Counterclank" is a Trojan horse that when installed on an Android smartphone collects information, including copies of the bookmarks and the handset maker. It also modifies the browser's home page. Also, the hackers have monetized the malware by pushing unwanted advertisements to compromised Android phones. But Haley noted that while the infected apps request an uncommonly large number of privileges – something that the user must approve – Haley argued that few people bother reading them before giving their okay. "If you were the suspicious type, you might wonder why they're asking for permission to modify the browser or transmit GPS coordinates. But most people don't bother," he said. Older variation Android.Counterclank is a minor variation on an older Android Trojan horse called Android.Tonclank that was discovered in June 2011. Some of the 13 apps that Symantec identified as infected have been on the Android Market for at least a month, but Symantec discovered them only this weekend. "The game is decent ... but every time you run this game, a 'search icon gets added randomly to one of your screens," said one user on Jan. 16 after downloading "Deal & Be Millionaire," one of the 13 apps. "I keep deleting the icon, but it always reappears. If you tap the icon you get a page that looks suspiciously like the Google search page," the user added. Android users have struck back at one of the infected apps with low review scores, calling it 'crap.' Google informed Haley said Symantec researchers have told Google of their discovery, but Google did not immediately reply to questions and a request for confirmation on the security firm's claims. Haley said Symantec's researchers are still "peeling back the layers of the onion," and added that the company would publish more information on the threat as it unearthed details. "What's interesting here is that instead of taking legitimate apps, [malware authors] have created apps similar to legitimate ones. That, and the big numbers of downloads, of course," he said. Symantec has published a list of the 13 infected apps on its website. — LBG, GMA News