Researchers from Lookout Security disagreed with rival Symantec that 13 apps on the Android Market were malicious, instead saying that they showed the same behaviors as other ad-supported apps.
Earlier today, Symantec's Kevin Haley, a director with the company's security response team, said that 13 apps, some available in Google's official download store for at least a month, were created to distribute "Android.Counterclank," a Trojan that, among other things, modifies the browser's home page and bookmarks, and inserts a search icon that some users have said is impossible to delete.
Symantec estimated the number of downloads of the 13 apps at between 1 and 5 millions, prompting it to call the campaign the largest Android malware outbreak ever.
Lookout researchers disagreed.
"This is pretty clearly an ad[vertising] network that's similar to other ad networks," said Tim Wyatt, a principal engineer with Lookout, which markets a popular Android-specific security app.
Wyatt declined to identify the network he said was being used by the 13 apps -- which originate from three different publishers -- and that requests the permissions and exhibits the behavior Symantec dubbed malicious.
"This ad network does have the capability to enter bookmarks in your browser, which is different from other ad networks," Wyatt continued. "But a lot of its functionality is being embedded in other apps. Part of the business model of the company that owns the ad network is to add search conducted from apps."
Wyatt wasn't ready to call the apps' bookmark modifications over-the-line conduct, however, saying that Lookout is still investigating the 13 apps, as well as others that relied on different advertising networks for generating revenue for their free programs.
"I can tell you that this code [seen in the 13 apps] is not the only code for doing things like this," said Wyatt. "There are 10-plus ad networks that we track that have the same functionality."
Wyatt said that Symantec had "significantly overblown" the story by labeling the apps as Trojan-infected, and added that its rival had been "a bit premature" in coming to its conclusions.
Symantec did not respond to a request for comment on Lookout's assertions.
The debate over what is and what is not malware on Android is reminiscent of the argument years ago between security companies and developers over the term "adware," a software category that the former believed malicious enough to detect and delete, and that the latter saw as relatively harmless.
The dispute over adware -- and to a much lesser extent over the label "spyware" -- eventually led to several court cases . Currently, most security software detects adware as malicious or unwanted.
Last year, Wyatt said, Lookout had studied "Tonclank," code that Symantec said was the precursor to Counterclank, and determined that it, too, was not malicious per se, but instead spyware.
Sign up for CIO Asia eNewsletters.