How Android fought the chamois botnet and won



[ad_1]

In March 2017, the Android security team felt satisfied with itself. The group had detected, analyzed and neutralized a sophisticated zombie network based on corrupt applications, all of which worked together to combat ad and SMS fraud. Nicknamed "Chamois", the malware family was already present in 2016 and was distributed both via Google Play and third-party app stores. The Android team has therefore started to aggressively report and help to uninstall Chamois until she is sure of death.

Eight months later, in November 2017, Chamois returned to the Android ecosystem, more fierce than before. In March 2018, a year after Google had thought that he was defeated, Chamois reached a historic record by infecting 20.8 million devices. Now, a year after this zenith, the Android team has reduced this number to less than 2 million infections. And at the Kaspersky security analysts summit in Singapore this week, Android security engineer, Maddie Stone, presented a complete post-mortem on how Google fought Chamois – again – and how rivalry has become personal.

"In fact, I gave a lecture at Black Hat last year on Chamois'" Third Stage ", Stone told WIRED before his lecture. "And within 72 hours of my speech, they started trying to change the bytes and each of the indicators I talked about, we could see them manipulate it." Chamois developers also highlighted our Android security analytics environment and built-in protections for some of the customizations we use. "

Back with a vengeance

After the peak of infection of March 2018, the Android security team began to collaborate with other Google advocates, such as anti-abuse and advertising security specialists and engineers in software, to become familiar with the new version of Chamois. The first two variants followed in 2016 and 2017 by infected devices in four "steps" to organize and hide the attack. The 2018 release, however, contained six steps, more sophisticated antivirus testing engines and even more anti-analytics and anti-debugging shields to prevent discovery. Malware developers integrate these features into their code so that it can detect its execution in a test environment, such as the Android security analysis environment, and react by trying to hide its malicious features.

The malicious Chamois program, like most types of botnets, receives commands remotely from a "command and control" server that coordinates infected devices for the execution of specific tasks. All iterations of Chamois have focused on spreading malicious ads and driving quality SMS scams.

When you donate money to a charity or pay for a digital service via SMS, you send this message to a premium phone number. Premium SMS fraud encourages you to send this money to cybercriminals. Android has been offering protection against scam types since 2014, requiring explicit permission to text a premium number. But the malware Chamois first checked if the devices it infected were rooted and, if so, had taken advantage of this expanded functionality to surreptitiously disable premium SMS warnings.

A victim of SMS fraud on Chamois premiums would discover the attack as soon as she would have received her cellphone bill, but Mr Stone said the payloads of malware advertising fraud would have happened silently in the background of infected devices, generating malicious ads without the the infected phone realizing. In 2016 and 2017, as part of their distribution strategy, attackers have inserted skin-benign applications contaminated by Chamois into the Google Play Store. But as Google became more and more able to spot and block these intruders, the attackers were forced to diversify.

"We talked a lot about the fact that with Android malware, there was a lot of fruit at hand," says Stone. "But Chamois shows the degree of sophistication that you must now access as an attacker to" succeed. "It's a well-crafted code, I have to give them that, but it's also scary to realize that Is where the point malware lies. "

Much of the re-emergence of Chamois comes from Android application developers and device makers who have been forced to integrate Chamois code into their applications, or even install pre-installed software. Attackers have created a website and peddled Chamois to these third parties as a legitimate adware development kit that can provide ad distribution services.

Google Play Protect, which eliminates fake Android apps, is increasingly able to detect when Chamois is running on a device and disabling it. Recently, Google has also extended the analysis of pre-installed codes on partner devices and prompted device manufacturers to audit the third-party code before shipping the products – and not to send this code at all they are not sure they can control it completely.

Professionals Consumed

As they became more familiar with Chamois over the years, the Android security team concluded that the most notable feature of the botnet was the professionalism of its developers. The team discovered dozens of carefully organized command and control servers for the botnet, and also found that the malicious program contained a mechanism called "functionality flag" commonly used in the development of legitimate software to enable and disable special features in different parts of the world. Researchers on Android have discovered that Chamois would become completely inert if he detected that it worked in China. Stone refused to offer a theory explaining why.

Chamois developers also worked to keep a low profile and gradually rolled out updated versions of their malware on infected devices. They tested an update of the devices in a given geographic area to confirm that the new code was working as expected before distributing it more widely.

Google now uses a combination of detection methods to control chamois, including signature indicators, an automatic learning assessment, and behavioral analysis. The team also carries out monthly and quarterly check-ins on all Chamois stats, which allows it to quickly put an end to any new dynamics with the winnings of the botnet. Stone says the Android security team is still reducing the remaining 1.8 million infections. But, as always, the developers of Chamois continue to defend themselves. Last year, after the peak of infection in March 2018, researchers saw 14,000 new samples of Chamois.

"The actors did not stop or slow down, we just wanted to play smarter and really try to push them back," said Stone. "They are still trying to gain ground, but we are in a maintenance and monitoring phase because we are seeing a steady decline in existing measures."

The Android team has promised to remain vigilant, knowing that there is probably nothing better than its chamois rivals would like to be lulled by a false sense of security.


More great cable stories

[ad_2]

Source link