This huge number was possible because the Trojan has been grafted onto a number of applications available for download on the official Android Market.
Having analyzed and recognized Counterclank as a variant of the Tonclank Android Trojan, the researchers have come to the conclusion that it has been created by the same developer - a company that distributes a software development kit (Apperhand) to third parties to help them monetize their applications, primarily through search.
Counterclank records and send information such as the device's IMEI, brand, manufacturer, model, and Android OS version, metrics such as screen size and resolution, the user's language preference, the browser user agent and the identity of the application using the software development kit.
Apart from that, it is also capable of setting the device's browser's homepage, create bookmarks and shortcuts on the home screen. According to them, the homepage, bookmarks, and shortcuts can be sent to searchwebmobile.com, a domain belonging to Infospace, a firm that pays money to applications that redirect search queries through their website.
Although Symantec considers these apps and Counterclank as malware, others disagree. Lookout says that it is "an aggressive form of ad network" that does not appear to be malicious, but that should, nonetheless, be taken seriously.
"Due to the combined behavior of the applications, negative feedback from users who installed the applications, and the fact that previous applications (Android.Tonclank) using this code were initially suspended from the Google Market, we chose to notify users of Counterclank," reiterated Symantec.
"We have also submitted a ticket to Google for the removal of Counterclank from the Android Market. Google replied quickly informing us the applications met their Terms of Service and they will not be removed. We expect in the future there may be many similar situations where we will inform users about an application, but the application will remain in the Google Android Market."