Symantec, FUD and the boy who cried wolf

I get a lot of vendor PR pitches each day that I ignore for a variety of reasons, especially when the FUD factor is high. And so it was when a PR guy emailed me with this alarming headline: “Newly Discovered Android Malware Has Infected Millions of Users.”

The pitch linked to a blog post from Symantec researcher Irfan Asrar, which proclaimed:

“Symantec has identified multiple publisher IDs on the Android Market that are being used to push out Android.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device. For each of these malicious applications, the malicious code has been grafted on to the main application in a package called “apperhand”. When the package is executed, a service with the same name may be seen running on a compromised device. Another sign of an infection is the presence of the Search icon above on the home screen.”

The post itself was pretty basic and, as an Android user myself, good to know. But the PR pitch took it to a more dramatic level:

“The 1 million to 5 million combined downloads of the 13 different app titles this malware hides behind indicates just how widespread this mobile malware is.”

Other security vendors pushed back on the claim, most notably Lookout Security. In an interview with Computerworld scribe Gregg Keizer, Tim Wyatt, a principal engineer with Lookout, said  that Symantec had “significantly overblown” the story by labeling the apps as Trojan-infected, and added that its rival had been “a bit premature” in coming to its conclusions.

Yesterday, Symantec backed off it’s original claims. In the follow-up story, Keizer wrote:

Symantec has backtracked from assertions last week that 13 Android apps distributed by Google’s Android Market were malicious, and now says that the code in question comes from an aggressive ad network that provides revenue to the smartphone programs.

The security firm’s new stance was in line with that taken by Lookout Security, which on Friday questioned Symantec’s conclusions and instead said that the apps displayed the same behavior as others funded by 10 or more similar ad networks.

Symantec dubbed the code embedded within the 13 apps Android.Counterclank and classified it as a Trojan horse, or malware. According to Symantec’s researchers, the malware was a variation on “Android.TonClank,” called “Plankton” by researchers at North Carolina State University, another Trojan first uncovered in June 2011.

The apps containing the Android.Counterclank code had been downloaded between 1 million and 5 million times, said Symantec, which used the Android Market’s own published numbers to arrive at that range. That made it the “largest malware [outbreak] on the Android Market,” Kevin Haley, a director with Symantec’s security response team, said in an interview last Friday.

In a blog post Monday, Symantec retracted its earlier allegations and said that the Android.Counterclank code comes from an SDK, or software development kit, distributed to “third parties to help them monetize their applications, primarily through search.”

An honest mistake on Symantec’s part? Perhaps. 

Whatever the case may be, security vendors everywhere should view this as a teachable moment. Specifically, when reporting malware, they need to keep the drama level low. 

Otherwise, when something truly big and nasty appears, nobody’s going to pay attention when the vendor who over-hyped the last threat comes out with a warning for the new one.

It’s the classic boy who cried wolf syndrome.