Lookout has released a tool that detects Carrier IQ, the software embedded in numerous smartphones that has raised questions from users, privacy advocates and even US Congress.

The mobile security software company launched the free Carrier IQ Detector on December 2. It can be downloaded from the Android Market.

The tool only detects the presence of Carrier IQ on Android handsets: it does not scrub the software from the smartphone.

Lookout said that Carrier IQ was "deeply integrated with handset firmware and users would be required to attain special device privileges in order to remove it," then warned that doing so incorrectly could "put users at further risk of malware infection" and possibly make them unable to receive future phone updates.

Carrier IQ 'not malware'

The release of Carrier IQ Detector followed comments from Lookout last week that it would not classify the software as malware, and questioned the label "rootkit" for the tracking and network diagnostic program.

Tim Wyatt, a principal engineer with Lookout, refused to call Carrier IQ 'malware', arguing that it just didn't fit the definition.

"Absolutely not," Wyatt said. He argued that because users hadn't been duped into launching a Trojan horse, Carrier IQ wasn't technically malware. "This is something that was pre-loaded by carriers, not downloaded by users," he explained.

"It wasn't malware hidden inside an app, so it doesn't fit the Trojan pattern. All indications are that it is intended to improve user experience. What's at question is what data is sent to the carrier."

He acknowledged that Lookout and its users were worried about the privacy implications.

"We do have concerns about the data, and under what circumstances it's going out," Wyatt said, noting that his opinion was a reflection of the feedback his company had received from users. "We definitely think that users should be told, and have a choice of opting out in circumstances like this telemetry."

'No malicious intent'

Other security researchers have said much the same.

In a blog post yesterday, Dan Rosenberg, a consultant at Virtual Security Research, said that his analysis of Carrier IQ had not found any malicious intent.

"I have repeatedly stated that based on my knowledge of the software, claims that keystrokes, SMS bodies, email bodies, and other data of this nature are being collected are erroneous," said Rosenberg, who like Lookout, called for more transparency from Carrier IQ, handset makers and mobile service providers.

Lookout also called the "rootkit" label many have attached to Carrier IQ as "a bit of hyperbole," with Wyatt adding that in the company's view, the software was not conducting "a criminal activity."

Some disagree. Both Congress and consumer advocates in the US have asked the Federal Trade Commission, the Department of Justice and the Federal Communications Commission to investigate Carrier IQ and its practices. The California-based Carrier IQ has also been hit with multiple lawsuits seeking class-action status.

And Carrier IQ's own marketing materials seem to undercut its most recent claims that the software is designed only to diagnose problems in smartphones and the mobile service provider networks they run on.