Researchers from Lookout Security disagreed with rival Symantec that 13 apps on the Android Market were malicious, instead saying that they showed the same behaviours as other ad-supported apps.
Symantec's Kevin Haley, a director with the company's security response team, said that 13 apps, including some available in Google's official download store for at least a month, were created to distribute a Trojan. Named Android.Counterclank, the program modifies the browser's home page and bookmarks and inserts a search icon that some users have said is impossible to delete, among other things.
Symantec estimated the number of downloads of the 13 apps at between 1 and 5 millions, prompting it to call the campaign the largest Android malware outbreak ever.
Lookout researchers disagreed.
"This is pretty clearly an ad network that's similar to other ad networks," said Tim Wyatt, a principal engineer with Lookout, which markets a popular Android-specific security app.
Wyatt declined to identify the network he said was being used by the 13 apps, which originate from three different publishers, and that requests the permissions and exhibits the behaviour Symantec dubbed malicious.
"This ad network does have the capability to enter bookmarks in your browser, which is different from other ad networks," Wyatt continued. "But a lot of its functionality is being embedded in other apps. Part of the business model of the company that owns the ad network is to add search conducted from apps."
Wyatt wasn't ready to call the apps' bookmark modifications over-the-line conduct, however, saying that Lookout is still investigating the 13 apps, as well as others that relied on different advertising networks for generating revenue for their free programs.
"I can tell you that this code [seen in the 13 apps] is not the only code for doing things like this," said Wyatt. "There are more than 10 ad networks that we track that have the same functionality."
Wyatt said that Symantec had "significantly overblown" the story by labelling the apps as Trojan-infected and added that its rival had been "a bit premature" in coming to its conclusions.
Symantec did not respond to a request for comment on Lookout's assertions.
The debate over what is and what is not malware on Android is reminiscent of the argument years ago between security companies and developers over the term "adware," a software category that the former believed malicious enough to detect and delete, and that the latter saw as relatively harmless.
Last year, Wyatt said, Lookout had studied "Tonclank," code that Symantec said was the precursor to Counterclank, and determined that it, too, was not malicious per se, but instead spyware.
Information about Tonclank was first published by Xuxian Jiang, an assistant professor in computer science at North Carolina State University, whose team named the code "Plankton" and used the term "botnet" to describe it.
"We thought it was spyware, but then we decided it was a prototype ad network that crosses the line into spyware," said Wyatt. "Since then, [the ad network] has pulled back from that."
"We have been looking at exactly this type of behaviour," added Derek Halliday, a Lookout senior security product manager, referring to Counterclank. "We understand that this type of behaviour can be confusing to the average user, but Symantec is inflating that confusion with messages that it's malware."
Wyatt, too, was firm in his belief that apps containing Counterclank are not malicious.
"This does raise questions about what's acceptable behaviour for apps, but I think it's fair to say that [these apps] aren't exhibiting any maliciousness," Wyatt said. "If you do, you're getting ahead of yourself."
Both Wyatt and Halliday said that Lookout's investigation into Counterclank-using apps is ongoing, and they promised the company would issue a report on them in the upcoming weeks.