This post was originally published at Detecting and eliminating Chamois, a fraud botnet on Android

Posted by Security Software Engineers—Bernhard Grill, Megan Ruthven, and Xin
Zhao


image

Google works hard to protect users across a variety of devices and environments. Part of this work involves defending users against Potentially Harmful Applications (PHAs), an effort that gives us the opportunity to observe various types of threats targeting our ecosystem. For example, our security teams recently discovered and defended users of our ads and Android systems against a new PHA family we’ve named Chamois.

Chamois is an Android PHA family capable of:

  • Generating invalid traffic through ad pop ups having deceptive graphics inside the ad
  • Performing artificial app promotion by automatically installing apps in the background
  • Performing telephony fraud by sending premium text messages
  • Downloading and executing additional plugins

Our previous experience with ad fraud apps like this one enabled our teams to swiftly take action to protect both our advertisers and Android users. Because the malicious app didn’t appear in the device’s app list, most users wouldn’t have seen or known to uninstall the unwanted app. This is why Google’s Verify Apps is so valuable, as it helps users discover PHAs and delete them.

Chamois had a number of features that made it unusual, including:

  • Multi-staged payload: Its code is executed in 4 distinct stages using different file formats, as outlined in this diagram.
image

This multi-stage process makes it more complicated to immediately identify apps in this family as a PHA because the layers have to be peeled first to reach the malicious part. However, Google’s pipelines weren’t tricked as they are designed to tackle these scenarios properly.

  • Self-protection: Chamois tried to evade detection using obfuscation and anti-analysis techniques, but our systems were able to counter them and detect the apps accordingly.
  • Custom encrypted storage: The family uses a custom, encrypted file storage for its configuration files and additional code that required deeper analysis to understand the PHA.
  • Size: Our security teams sifted through more than 100K lines of sophisticated code written by seemingly professional developers. Due to the sheer size of the APK, it took some time to understand Chamois in detail.

Google continues to significantly invest in its counter-abuse technologies for Android and its ad systems, and we’re proud of the work that many teams do behind the scenes to fight PHAs like Chamois.

We hope this summary provides insight into the growing complexity of Android botnets. To learn more about Google’s anti-PHA efforts and further ameliorate the risks they pose to users, devices, and ad systems. For more details, keep an eye open for the upcoming “Android Security 2016 Year In Review” report.

image image

Originally posted here:

This post was originally published at Detecting and eliminating Chamois, a fraud botnet on Android