A highly sophisticated botnet, embedded in applications to deceive malicious ads and SMS, was able to successfully detect and neutralize the Android security team. The botnet belonged to a family of malware known as “Chamois", Which was already released by 2016 and was spreading through it Google Play and through third-party app stores. The Android security team moved aggressively and started to point out and help uninstall the Chamois software until it is sure it was past.
After their successful effort however, the November 2017, malicious software Chamois, returned stronger than before and until March 2018 20,8 managed to infect millions of devices. The Android security team has now managed to reduce the number to less than 2 million infections. At Kaspersky Security Analyst Summit in Singapore this week, Android security engineer Maddie Stone presents a full analysis of how Google fought against Chamois.
After 2018's launch peaked in March, the Android security team began collaborating with other Google security teams to address the new threat. While the first versions of malicious software consisted of four stages of infection, the new ones consisted of six and additionally contained mechanisms that helped them to remain unnoticed.
The Chamois family of software, like most botnets, receives remotely commands from a command and control server that coordinates infected devices to work on specific tasks. In this case, they involved SMS and adware frauds.
Much of recurrence of Chamois resulted from application developers and Android device manufacturers who deceived to incorporate the code of Chamois in their applications and even the preinstalled software. Attackers set up a website and spread Chamois as a legitimate ad software development kit that could provide ad distribution services.
Google Play Protect, which helps to eradicate false Android apps, has more features to detect when Chamois runs on a device and disables it. Google has also recently expanded the pre-installed code scan to partner devices, and further encouraged device manufacturers to control third-party code before product launches.
The Android security team concluded that the most remarkable feature of the botnet was the professionalism of its developers. The team uncovered dozens of carefully organized command and control servers for the botnet and also noted that the malware included a mechanism called "feature flags" that is commonly used in legitimate software development to enable or disable specific features in various parts of it world.
Chamois developers have also worked to maintain low profile and incorporate updates of their malware gradually into infected devices.
Google is now using a combination of detection methods for Chamois software, while also making monthly and quarterly check-in all the stats of Chamois, to enable them to quickly stop any new outbreak of the botnet. And Stone says the Android security team is still removing the remaining 1,8 millions of infections.
The Android team promises to stay alert, knowing that the Chamois creators will not give up so easily.