Bye bye, botnet! Kibosh put on Chamois Android fraud network

Post-mortem analysis reveals several distinguishing traits…

David Bisson
@DMBisson

Security researchers have put the kibosh on Chamois, a fraud botnet which derived its jollies from targeting Android users.

One of the largest Android families of “potentially harmful applications” (or “potentially unwanted applications,” if you’d prefer), Chamois’ offenses are four-fold:

  • Using deceptive graphics inside pop-up ads to to generate invalid ad traffic.
  • Automatically installing apps in the background to artificially promote those applications.
  • Like CallJam, sending premium text messages to commit telephony fraud.
  • Downloading additional plugins.

Chamois is not unlike DressCode in its use of malicious apps to build a botnet of Android devices. But it does stand out for several traits designed to help the malware evade detection.

Sign up to our newsletter
Security news, advice, and tips.

First, it uses a custom encryption file storage system to try to conceal some of its information from researchers’ prying eyes.

Second, it uses several different obfuscation and anti-analysis techniques.

Third, Chamois executes its 100,000 lines of code (really!) in four distinct stages, which understandably required some time.

But Google’s researchers persisted in their work to understand the fraud botnet. Their efforts ultimately paid off. As they explain in a blog post:

“We detected Chamois during a routine ad traffic quality evaluation. We analyzed malicious apps based on Chamois, and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics. This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad systems.”

To protect themselves against malware like Chamois, Android users should make sure their device scans for security threats by visiting “Verify Apps” under their phone’s Google Security settings. They should then try to download apps only from Google’s Play Store. It’s a good practice that eliminates the threat of many but not all Android-based threats.

To further strengthen their phones’ security, users should carefully read the reviews and look over the list of permissions for each and every app before they download it. If the app asks for an excessive number of permissions or begins to misbehave upon installation, they should use Google’s “Verify Apps” service to try to remove the app and notify Google’s security team about the application’s tricky business.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.