SINGAPORE—The Android security team announcing that it had eradicated the Chamois malware family from Google Play in March 2017, turned out to be Android’s “Mission Accomplished” moment. Version 3 of Chamois surfaced in January 2018, more sophisticated and virulent than previous versions, followed by version 4 a few months later.
Apps containing code associated with the Chamois malware family first surfaced on Google Play in August 2016, followed by version 2 in November 2016. At its peak, in March 2018, Chamois had infected 20.8 million devices, Android security engineer Maddie Stone said at the Kaspersky Security Analyst Summit. Infected devices were commandeered into a botnet, and received instructions from a remote command-and-control server.
The Android team has successfully chipped away at that number in the year since, and in March, there were fewer than 2 million infections.
Chamois was “the biggest botnet you’d never heard of,” Stone said.
Early versions of Chamois masqueraded as benign apps and tricked users into downloading the apps on to their devices, but Google Play’s scanning tools became more efficient and effective at recognizing and blocking Chamois. Later versions of Chamois switched tactics and tricked app developers and device manufacturers into incorporating the code directly into their apps, making it possible for these tainted apps to appear on Google Play, Stone said.
Phone manufacturers thought Chamois was a mobile payment solution. Developers thought Chamois was a legitimate advertising software development kit.
Developers packed the malware into their apps without realizing they were incorporating a backdoor. With Chamois on the device, the botnet served malicious ads and directed victims to premium SMS scams.
Whenever the team thought it had neutralized the botnet, a new version would appear, more sophisticated and virulent than the previous, Stone said. While the earlier versions had infected devices in four distinct stages, the newer versions in 2018 contained six stages. The later versions were equipped with features designed to make detection harder, such as not executing the malicious code if antivirus, anti-analysis, or anti-debugging tools are present on the device.
If the analysts ran the app in a testing environment—such as the team’s security analysis environment—then the malicious code remained dormant and avoided detection.
Every time the Android security team introduced a new protective measure to make it hard for Chamois to carry out its remote instructions, the group behind Chamois figured out a way to get around the barrier. To prevent premium SMS fraud, the Android security team required apps to obtain explicit permission to text a premium number. In response, the group behind Chamois added a check to see if the device was rooted. If it was, the malware used the expanded privileges available to disable premium SMS warnings. As a result, the victims learned about messages being sent to premium numbers only when the bills arrived.
The group behind Chamois was paying close attention to what the Android security team was doing, too. Back in 2018, the group started changing the bytes and the indicators she’d provided in her talk within 72 hours of Stone speaking at Black Hat. The group also fingerprinted the security analysis environment the security team used, and figured out ways to protect the malware from the customizations the team developed to detect and block the malware.
Technically Complex Code
Chamois showed that attackers now need a high level of sophistication in order to be able to get around the protections in Android. Stone said the developers showed a high degree of professionalism, such as testing out updates in specific regions before a wider rollout. The malware also used feature flags, a practice commonly seen in legitimate software development to enable and disable features depending on what kind of users were being targeted. As an example, Chamois is designed to not execute at all if it is on a device in China.
“They are not looking for the lowest hanging fruit,” Stone said.
At the moment, Google relies on several detection methods to identify Chamois, including signature-based flags, machine-learning assessment, and behavioral analytics. The company also scans preinstalled code on partner devices (to look for situations where Chamois was incorporated as if it was a legitimate package) and encourages device makers to audit third-party code before shipping.
The current combination of tactics has the defenders in control. Despite the fact that researchers have seen 12,800 new samples between March 2018 and March 2019, the number of devices in the botnet have declined by 91 percent, Stone said.
The security team is currently in the “maintenance and monitoring phase” Stone said.