Google has recently found and also blocked a very sophisticated and fraud botnet which was being distributed through many channels and this botnet has employed several methods to avoid detection.
Dubbed as Chamois, this botnet is was biggest and largest Potentially Harmful Application (PHA) families we have seen on the Android to date, and this could even remain persistent on the infected devices by not showing the application list at all. This malicious program is also capable of generating revenue by engaging into various activities, says Google.
The malicious that Google analysed are based on Chamois and they generate their traffic from ad pop-ups and by displaying deceptive graphics inside these ads. They could perform artificial app promotion and thus automatically install apps in background or could perform telephony fraud and send premium text messages or could download and execute some additional plugins on these compromised devices.
These malicious apps did not appear in device’s app list, this prevented the users from removing them as they couldn’t find them. Furthermore, deceptive graphics used to trick the users into clicking the ads can sometimes result in an additional malicious application being downloaded into the device, like a SMS fraud program.
Other than staying hidden on the targetted Android devices, Chamois had yet other features that made it special as well, as a multi-staged payload, its code executes in 4 distinct stages using different file formats.
“This multi-stage process makes it more complicated to immediately identify apps in this family as a PHA because the layers have to be peeled first to reach the malicious part. However, Google’s pipelines weren’t tricked as they are designed to tackle these scenarios properly,” Security Software Engineers Bernhard Grill, Megan Ruthven, and Xin Zhao explain.
The PHA attempted to evade detection with the help of obfuscation and anti-analysis techniques, while also using a custom, encrypted file storage for its configuration files, along with additional code that required deeper analysis.