Detecting and eliminating Chamois, a fraud botnet on Android
By Google Security Software Engineers—Bernhard Grill, Megan Ruthven, and Xin Zhao
March 14, 2017
Google works hard to protect
users across a variety of devices and environments. Part of this
work involves defending users against Potentially
Harmful Applications (PHAs),
an effort that gives us the opportunity to observe various types of
threats targeting our ecosystem. For example, our security teams
recently discovered and defended users of our ads and Android
systems against a new PHA family we've named Chamois.
Interference with the ads ecosystem
We detected Chamois during a routine ad traffic quality evaluation. We analyzed malicious apps based on Chamois, and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics. This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad systems.
Under Chamois's hood
Chamois was one of the largest PHA families seen on Android to date and distributed through multiple channels. To the best of our knowledge Google is the first to publicly identify and track Chamois.
Google's approach to fighting PHAs
Verify Apps protects users from known PHAs by warning them when they are downloading an app that is determined to be a PHA, and it also enables users to uninstall the app if it has already been installed. Additionally, Verify Apps monitors the state of the Android ecosystem for anomalies and investigates the ones that it finds. It also helps finding unknown PHAs through behavior analysis on devices. For example, many apps downloaded by Chamois were highly ranked by the DOI scorer. We have implemented rules in Verify Apps to protect users against Herole.
We hope this summary provides insight into the growing complexity of Android botnets. To learn more about Google's anti-PHA efforts and further ameliorate the risks they pose to users, devices, and ad systems. For more details, keep an eye open for the upcoming "Android Security 2016 Year In Review" report.