Bye bye, botnet! Kibosh put on Chamois Android fraud network

Post-mortem analysis reveals several distinguishing traits…

Bye bye, botnet! Kibosh put on Chamois Android fraud network

Security researchers have put the kibosh on Chamois, a fraud botnet which derived its jollies from targeting Android users.

One of the largest Android families of "potentially harmful applications" (or "potentially unwanted applications," if you'd prefer), Chamois' offenses are four-fold:

  • Using deceptive graphics inside pop-up ads to to generate invalid ad traffic.
  • Automatically installing apps in the background to artificially promote those applications.
  • Like CallJam, sending premium text messages to commit telephony fraud.
  • Downloading additional plugins.

Chamois is not unlike DressCode in its use of malicious apps to build a botnet of Android devices. But it does stand out for several traits designed to help the malware evade detection.

First, it uses a custom encryption file storage system to try to conceal some of its information from researchers' prying eyes.

Second, it uses several different obfuscation and anti-analysis techniques.

Third, Chamois executes its 100,000 lines of code (really!) in four distinct stages, which understandably required some time.

But Google's researchers persisted in their work to understand the fraud botnet. Their efforts ultimately paid off. As they explain in a blog post:

"We detected Chamois during a routine ad traffic quality evaluation. We analyzed malicious apps based on Chamois, and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics. This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad systems."

Screen shot 2017 03 06 at 11.52.27 am

To protect themselves against malware like Chamois, Android users should make sure their device scans for security threats by visiting "Verify Apps" under their phone's Google Security settings. They should then try to download apps only from Google's Play Store. It's a good practice that eliminates the threat of many but not all Android-based threats.

To further strengthen their phones' security, users should carefully read the reviews and look over the list of permissions for each and every app before they download it. If the app asks for an excessive number of permissions or begins to misbehave upon installation, they should use Google's "Verify Apps" service to try to remove the app and notify Google's security team about the application's tricky business.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

No comments yet.

Leave a Reply