The Android OS has been hit with a very serious Trojan and a number of apps available in the Android Market are malicious.
Or maybe not.
There are some very conflicting reports coming from two well-known security providers about whether or not there is an Android botnet out there. According to ZDNet:
Security firm Symantec has uncovered a massive botnet that may have lured millions of unwitting Android users into downloading malware infected apps from the official Google Android Market.
The Trojan is called Android.Counterclank and has been injected into 13 game apps available on the Android Market. Symantec provided a list of the infected apps and their publishers.
However, Lookout Security disagrees with Symantec's assessment. Although Lookout said this is an aggressive ad network, on its blog, Lookout researchers added:
The average Android user probably doesn't want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior. In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks-this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.
So who is right and who is wrong? More to the point, what are users to do?
A Computerworld article said this is reminiscent of the old days when security vendors and companies debated adware - was it malicious or was it a harmless annoyance? Today, security companies treat adware as malicious.
As an Android user, the best bet, until this is settled - and the folks at Lookout say they are continuing to investigate - is to err on the side of caution. Make sure security software is current on the phone. Be wise about the apps you download and read the comments other users leave to see if there are problems.
Of course, if the device is owned by a company, there should be some policies in place regarding what is an acceptable download (and reading the names of some of the suspected apps, they would not be suitable for a business phone). But again, here is where the slippery slope of bring your own device (BYOD) comes into play. Does the company get to have any say on an app that is downloaded onto a personally owned device, especially if there is a situation with mixed messages like this instance?
As this story moves forward, it will be interesting to see if one of the results is a true definition of what malware is (or isn't) and what can be done to protect devices from those applications that act malicious, but aren't.