Situatie
Android security team was feeling pleased with itself. The group had detected, analyzed, and neutralized a sophisticated botnet built on tainted apps that all worked together to power ad and SMS fraud. Dubbed Chamois, the malware family had already cropped up in 2016 and was being distributed both through Google Play and third-party app stores. So the Android team started aggressively flagging and helping to uninstall Chamois until they were sure it was dead.
Solutie
Pasi de urmat
Back With a Vengeance
After the March 2018 infection peak, the Android security team started collaborating with other defenders across Google, like anti-abuse and ad security specialists and software engineers, to get a handle on the new version of Chamois. The first two variants the team tracked in 2016 and 2017 infected devices in four stages to organize and mask the attack. The 2018 version, though, contained six stages, antivirus testing engines, and even more sophisticated anti-analysis and anti-debugging shields to avoid discovery. Malware developers build these features into their code so it can detect when it is running in a testing environment—like the Android security analysis environment—and react by attempting to hide its malicious functionality.
The Chamois malware, like most types of botnets, receives commands remotely from a “command and control” server that coordinates infected devices to work on specific tasks. All the iterations of Chamois have focused on serving malicious ads and driving premium SMS scams.
Consummate Professionals
As they became increasingly acquainted with Chamois over the years, the Android security team concluded that the botnet’s most notable feature was the professionalism of its developers. The team uncovered dozens of carefully organized command and control servers for the botnet, and they also noticed that the malware included a mechanism called feature flags, which are commonly used in legitimate software development to enable and disable particular features in different parts of the world. Most notably, the Android researchers found that Chamois will become completely inert if it detects that it is running in China. Stone declined to offer a theory as to why.
Google now uses a combination of detection methods to police Chamois, including signature-based flags, machine-learning assessment, and behavioral analytics. The team also does monthly and quarterly check-ins on all Chamois stats so they’ll be able to quickly halt any new momentum the botnet gains.
The Android team promises to stay vigilant, knowing that there is probably nothing their Chamois rivals would like better than for them to be lulled into a false sense of security.
Leave A Comment?