In March 2017 the Android security team had detected, analysed and eliminated a sophisticated botnet which was built on compromised apps that work together to power ad and SMS fraud. Dubbed as Chamois, this malware family had originally cropped up in 2016 and was distributed through Google Play and 3rd party app stores. With this attack the Android team worked tirelessly to flag and help uninstall the Chamois botnet from devices until they were positive it was dead.
8 months later, Chamois was back and more vicious than before. A year after the initial discovery of this bot net which Google thought it had eliminated hit an all time high infecting 20.8 million devices.
By 2018, the Android team managed to get the number of infected devices to under 2 million infected devices. At the Kaspersky Security Analyst Summit, Maddie Stone, an Android security engineer, presented a full post mortem on fighting back against Chamois, again, and how personal this rivalry became, and I quote:
“I actually gave a talk at Black Hat last year on what’s called ‘stage three’ of Chamois, and within 72 hours of me giving that talk, they started trying to change the bytes and each of the indicators I talked about. We could see them manipulating it. The Chamois developers also fingerprinted our exact Android security analysis environment and built in protections for some of the customizations that we use.”
Back with vengeance
When the infections peaked in March of 2018, collaborations began between the Android security team and others across Google such as anti-abuse and ad security specialists and software engineers in an attempt to get to grips with the new variation of Chamois.
The first two variants of Chamois were being tracked in 2016 and 2017 respectively and used 4 stages when infecting a device as well as organize and mask the attack. In the 2018 version, on the other hand, had 6 stages. These stages included antivirus testing engines, and a more sophisticated anti analysis and debugging shields in order to avoid discovery.
Developers of malware build in these features into the code so it can be able to determine when its running in a testing (staging) environment such as the Android security analysis environment, and in return it reacts by trying to hide its malicious functionality.
Like most other types of botnets, the Chamois malware gets its commands from a remote “command and control” server. This coordinates infected devices to carry out specific tasks. It is important to note that all the iterations of Chamois have focused on serving malicious ad’s and pushing premium SMS scams.
When donating money to a charity or pay for a digital service via text message, you are actually sending a message to a premium number. When you respond to the fraudulent SMS you are actually sending the money to cyber criminals and not the organization you think you are donating to.
Android has had numerous protections against this type of scam since its early start in 2014, which included requiring explicit permission to send a text to a premium number. When first checking if the infected device was rooted, if the malware found it in such a state it expanded its functionality to disable premium SMS warnings.
If you were a victim of this fraud you would only notice such an attack when they get their mobile phone bill. Stone says that the ad fraud payload would silently run in the background of devices that have the malware infection, in turn spreading malicious ads to the world with out the owner of the phone even noticing.
As 2016 and 2017 rolled around the attackers started to inject completely harmless applications into the Play store as part of the distribution strategy, but these apps contained code for the Chamois botnet. With Google becoming well versed at spotting and blocking these types of attacks, attackers had to diversify how they distributed the malware.
Stone can be quoted as saying:
“A lot of the discussion before has been that with Android malware there’s a lot of low-hanging fruit, but Chamois shows the sophistication you have to get to now as an attacker to be successful. It is a well-engineered piece of code, I have to give them that, but it’s also scary that that’s where the malware is at this point.”
The biggest reason for Chamois resurgance came from app developers and device manufacturers that were duped into including Chamois code into their apps including the preinstalled apps that come with the device. A web site was created by the attackers that peddled these malicious apps passing them off as legitimate advertising SDK’s (Software Development Kit) that was able to provide ad distribution services.
Helping to weed out fake and malicious Android apps, Google Play Protect has gotten really good at detecting when Chamois is running on ones device and disables it. It has been further enhanced to scan preinstalled apps on devices which encourages device makers to carry out an audit on 3rd party code before releasing and shipping their products. If manufacturers are not confident and can fully vet the code then they should not ship it.
One thing that the Android Security team determined over the years is that the most prominent feature of this botnet was the professionalism of its developers.
It was discovered by the team that there are dozens of command and control servers for this botnet. It was also observed to have a mechanism called feature flags. This is used in legitimate software development to enable or disable particular features in different parts of the world.
Android researchers also found that Chamois will become inert if it detects that it is running in Chine. Stone did not offer a theory as to why.
The botnet developers worked hard to keep a low profile and pushed out updated versions of the malware slowly to infected devices.
They would test the new version on devices in a particular geographic region to confirm that the new code functioned as intended before pushing it out to a more broader scope.
A combination of detection methods are used by Google to police Chamois. This includes signature based flags, machine learning assessments and behavioral analytics.
Monthly and quarterly checks are done on all Chamois statistics to ensure the breaks are quickly engaged when the botnet gains any momentum.
The Android security is continuing to chip away at the last 1.8 million infections, but the botnet developers keep pushing back. Since March 2018 where infections skyrocketed researchers have observed 14,000 new Chamois samples.
Stone has been quoted as saying:
“The actors weren’t stopping or slowing down. We were just trying to play smarter and really trying to push them back. They are still attempting to gain ground. But we’re in a maintenance and monitoring phase now, because we are seeing constant declines with our existing measures.”
The Android team will remain vigilant, knowing that there is a probability that the Chamois developers would like more than to have Google lulled into a false sense of security.