Symantec has backtracked from assertions last week that 13 Android apps distributed by Google's Android Market were malicious, and now says that the code in question comes from an aggressive ad network that provides revenue to the smartphone programs.
The security firm's new stance was in line with that taken by Lookout Security, which on Friday questioned Symantec's conclusions and instead said that the apps displayed the same behavior as others funded by 10 or more similar ad networks.
Symantec dubbed the code embedded within the 13 apps "Android.Counterclank," and classified it as a Trojan horse, or malware. According to Symantec's researchers, the malware was a variation on "Android.TonClank," called "Plankton" by researchers at North Carolina State University, another Trojan first uncovered in June 2011.
The apps containing the Android.Counterclank code had been downloaded between 1 million and 5 million times, said Symantec, which used the Android Market's own published numbers to arrive at that range. That made it the "largest malware [outbreak] on the Android Market," Kevin Haley, a director with Symantec's security response team, said in an interview last Friday.
In a blog post Monday, Symantec retracted its earlier allegations and said that the Android.Counterclank code comes from an SDK, or software development kit, distributed to "third parties to help them monetize their applications, primarily through search."
Symantec declined to name the ad network that distributes the SDK responsible for the code it detects as Android.Counterclank.
Both Symantec and Lookout have noted that the ad network code used by the 13 apps is more aggressive than the norm.
"In general, it's changing the home page of the [smartphone's] browser, adding additional shortcuts to the desktop, adding and even removing bookmarks," said Haley in a follow-up interview today.
So, if the Android.Counterclank apps are not malicious, what are they? Adware, the name pinned to unwanted PC software in the last decade?
Haley wasn't ready or willing to assign a label.
"It took a while for some consensus then about what was adware or spyware, and what wasn't," said Haley, talking about the intense debate five-to-seven years ago about those terms. "But eventually that consensus was reached."
Symantec will still identify apps that include Android.Counterclank -- a name it's also continuing to use -- but will not delete them, said Haley.
"We will come up with labels when it's appropriate," said Halley. "Now, we will make sure that we tell customers what's going on on their phones. We'll tell them what it does, and let them make the decision whether they want to make the trade-off and keep the app."
That was essentially the same practices that security companies used initially during the debates over adware and spyware on Windows PCs. Eventually, most antivirus vendors moved to a more forceful approach, and started to automatically remove such software.
Sign up for CIO Asia eNewsletters.