The malware hid behind many protection layers

Mar 14, 2017 15:23 GMT  ·  By

Google has just taken down a huge family of malicious Android apps it named Chamois. According to the company, these apps may have infected millions of devices. 

Chamois, named after a type of mountain goat, is just the latest attempt to take advantage of the massive Android range of devices in a large-scale ad fraud. In the past, Hummingbad infected about 10 million devices at its peak, earning the attackers behind it over $300,000 a month.

"We detected Chamois during a routine ad traffic quality evaluation. We analyzed malicious apps based on Chamois and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics. This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad system," reads a blog post signed by the company's Security Software Engineers Bernhard Grill, Megan Ruthven, and Xin Zhao.

Given Google's previous experience with ad fraud apps like this one helped quite a bit in taking swift action to protect Android users and advertisers alike.

The intricacies of Chamois

It seems the malicious apps didn't appear in the device's app list so users couldn't even see it to uninstall it, as it often happens with this type of tools. This is where Verify Apps comes into play, a tool Google developed to help users discover potentially harmful applications and delete them.

According to Google, Chamois was one of the largest families of malicious apps seen on Android to date, being distributed through multiple channels.

Chamois had a number of features that made it unusual. For instance, its code was executed in 4 distinct stages using different file formats. This multi-stage process made it more complicated to immediately identify apps in this family as harmful because the layers have to be peeled first to reach the malicious part.

The Chamois family
The Chamois family

The Chamois family apps could also evade detection by using obfuscation and anti-analysis techniques, which were countered by Google's systems. Furthermore, apps also used a custom, encrypted file storage for its config files, as well as additional code that required deeper analysis to understand the dangers of the app.

Google says it went through more than 100,000 lines of sophisticated code to better understand Chamois.

The company did not reveal the name of any of the infected apps, but we assume they've all been taken care of already.

Photo Gallery (2 Images)

Google takes down Chamois
The Chamois family
Open gallery