In March 2017, the Android security team was feeling pleased with itself. The group had detected, analyzed, and neutralized a sophisticated botnet built on tainted apps that all worked together to power ad and SMS fraud. Dubbed “Chamois,” the malware family had already cropped up in 2016, and was being distributed both through Google Play and third-party app stores. So the Android team started aggressively flagging and helping to uninstall Chamois until they were sure it was dead.
Eight months later in November 2017, though, Chamois roared back into the Android ecosystem, more ferocious than before. By March 2018, a year after Google thought it had been vanquished, Chamois hit an all-time high, infecting 20.8 million devices. Now, a year after that zenith, the Android team has whittled that number back down to fewer than 2 million infections. And at the Kaspersky Security Analyst Summit in Singapore this week, Android security engineer Maddie Stone is presenting a full post-mortem on how Google fought back against Chamois—again—and how personal the rivalry became.
“I actually gave a talk at Black Hat last year on what’s called ‘Stage Three’ of Chamois,” Stone told WIRED ahead of her talk. “And within 72 hours of me giving that talk they started trying to change the bytes and each of the indicators I talked about. We could see them manipulating it. The Chamois developers also fingerprinted our exact Android security analysis environment and built in protections for some of the customizations that we use.”
Back With a Vengeance
After the March 2018 infection peak, the Android security team started collaborating with other defenders across Google, like anti-abuse and ad security specialists and software engineers, to get a handle on the new version of Chamois. The first two variants the team tracked in 2016 and 2017 infected devices in four “stages” to organize and mask the attack. The 2018 version, though, contained six stages, antivirus testing engines, and even more sophisticated anti-analysis and anti-debugging shields to avoid discovery. Malware developers build these features into their code so it can detect when it is running in a testing environment—like the Android security analysis environment—and react by attempting to hide its malicious functionality.
The Chamois malware, like most types of botnets, receives commands remotely from a “command and control” server that coordinates infected devices to work on specific tasks. All the iterations of Chamois have focused on serving malicious ads and driving premium SMS scams.
When you donate money to a charity or pay for a digital service via text, you’re sending that message to a premium phone number. Premium SMS fraud tricks you into sending that money to cybercriminals instead. Android has offered protections against the types of scams since 2014, requiring explicit permission to text a premium number. But the Chamois malware first checked whether the devices it infected were rooted and, if so, took advantage of this expanded functionality to surreptitiously disable premium SMS warnings.
A victim of Chamois premium SMS fraud would discover the attack as soon as they got their mobile bill, but Stone says that the malware’s ad fraud payloads would have run silently in the background of infected devices, spewing malicious ads to the world without the owner of the infected phone realizing. In 2016 and 2017, the attackers snuck benign-looking apps tainted with Chamois into the Google Play Store as part of their distribution strategy. But as Google became increasingly adept at spotting and blocking these interlopers, the attackers were forced to diversify.
“A lot of the discussion before has been that with Android malware there’s a lot of low-hanging fruit,” Stone says. “But Chamois shows the sophistication you have to get to now as an attacker to be ‘successful.’ It is a well-engineered piece of code, I have to give them that, but it’s also scary that that’s where the malware is at this point.”
A big part of the Chamois reemergence stemmed from app developers and Android device manufacturers who were tricked into incorporating the Chamois code into their apps, and even preinstalled software. The attackers created a website and peddled Chamois to these third parties as a legitimate advertising software development kit that could provide ad distribution services.
Google Play Protect, which helps weed out bogus Android apps, has been increasingly able to detect when Chamois is running on a device and disable it. Google has also recently expanded its scanning of preinstalled code on partner devices, and further encouraged device makers to audit third-party code before shipping products—and not to ship that code at all if they’re not confident they can fully vet it.
As they became increasingly acquainted with Chamois over the years, the Android security team concluded that the botnet’s most notable feature was the professionalism of its developers. The team uncovered dozens of carefully organized command and control servers for the botnet, and also noticed that the malware included a mechanism called “feature flags” commonly used in legitimate software development to enable and disable particular features in different parts of the world. Most notably, the Android researchers found that Chamois will become completely inert if it detects that it is running in China. Stone declined to offer a theory as to why.
The Chamois developers also worked to keep a low profile, and rolled out updated versions of their malware gradually to infected devices. They would test an update on devices in a certain geographic region to confirm that the new code worked as intended before pushing it out more broadly.
Google now uses a combination of detection methods to police Chamois, including signature-based flags, machine learning assessment, and behavioral analytics. The team also does monthly and quarterly check-ins on all Chamois stats so they’ll be able to quickly halt any new momentum the botnet gains. And Stone says that the Android security team is still chipping away at the remaining 1.8 million infections. But, as always, the Chamois developers are continuing to fight back. In the past year since the March 2018 infection high, the researchers have seen 14,000 new Chamois samples.
“The actors weren’t stopping or slowing down, we were just trying to play smarter and really trying to push them back,” Stone says. “They are still attempting to gain ground. But we’re in a maintenance and monitoring phase now, because we are seeing constant declines with our existing measures.”
The Android team promises to stay vigilant, knowing that there is probably nothing their Chamois rivals would like better than for them to be lulled into a false sense of security.