Google has weeded out a particularly pernicious family of potentially harmful apps from its Android Play store and ad ecosystem.
The rogue app family that Google has dubbed Chamois was responsible for generating a large volume of invalid ad traffic, illegal app promotion and installation activity and for downloading and executing plugins on end user systems without the users knowledge or permissions.
In a blog post this week, a trio of Google software security engineers described discovering Chamois during a routine analysis of ad traffic quality. The analysis showed malicious Chamois apps employing a bevy of methods to avoid detection by Google’s security mechanisms.
Chamois apps tricked users into clicking on advertisements and downloading apps by using deceptive graphics to prevent users from seeing what was actually going on. Some of the Chamois apps that ended up landing on end user devices were designed to commit Short Messaging Service (SMS) fraud by sending premium text messages from the devices.
In most cases, the malicious apps did not appear on the list of apps on a user’s Android device. So people with an infected device would have no way of knowing the nefarious apps existed or that they needed to uninstall the malware, the Google engineers said.
The three Google engineers described Chamois as one of the largest families of potentially harmful applications that Google had ever encountered on Play or in the Android ecosystem in general. The term ‘potentially harmful apps’ is something that Google uses to described applications that are not categorically malicious by nature, but pose a danger to users all the same by serving up unwanted pop up ads or tricking them into application downloads.
Several features made Chamois different from other potentially harmful applications, the Google engineers said. For example, Chamois used a four-stage process to execute its code with each stage involving a different file format. This made it harder to tell if apps in the family fell into the potentially harmful category or not.
The app also encrypted its configuration files and related code, which again made it harder for Google’s malware detection tools to quickly determine if they were potentially harmful. Google’s security engineers also had to go through more than 100,000 lines of code apparently written by professional developers in order to understand the full scope and potential of Chamois.
Google’s Verify Apps now automatically detects and helps users remove Chamois from Android devices. All those involved in using the app to game Google’s ad systems have been removed from the platform, the three Google engineers said.
Unwanted apps like Chamois highlight the need for users to keep Google’s Verified Apps feature turned on. Though the feature is activated by default on Android systems users can turn it off.
Verified Apps is designed to constantly check device activity and to flag users about potentially harmful or suspicious actions. For instance, it warns users when they are about to download a a potentially malicious app and it helps them uninstall such apps after they are downloaded.