Google Security Team Takes Down a Big PHA Family Named Chamois

Cyber security engineers from Google Security team have discovered and taken down a huge family of Potentially Harmful Applications (PHAs) named Chamois. The researchers detected the malicious applications while doing a routine check-up in the course of the ad traffic evaluation.

Verify Apps had an immense role in discovering and destroying Chamois as these applications do not appear in the list of installed apps, thus most users would not even realize they have unwanted and potentially harmful programs on their device. While analyzing the malicious apps, the researchers also found out that the Chamois-based adware has several methods to avoid detection while it is displaying deceptive graphics in an attempt to lure the victim into clicking the ads. In some of the cases, clicking the ads led to the downloading of additional programs on the device, like malware committing SMS fraud.

The experts claim that Chamois is one of the largest PHA family ever seen so far, while at the same time it has a broad range of capabilities and spreads over multiple channels. The apps can send premium text messages, performing thus telephony fraud. Other capabilities include installing additional apps in the background, as well as downloading and executing plug-ins without the user's consent, all with the goal of promoting apps artificially. Chamois can also generate invalid traffic by displaying ads with deceptive graphics.

Verify Apps has proven effective not only in detecting and removing unwanted applications but also in monitoring the general state of the Android ecosystem and discovering unknown PHA through behavioral analysis. Many of the apps downloaded by the Chamois PHA had a high DOI score, implying they wouldn't have been detected without the implementation of Verify Apps.

A number of features of Chamois' workflow distinguish it from other similar threats and make it hard to detect. The malicious code is executed in four separate stages using different file formats. This multi-stage payload execution makes it very difficult for researchers to recognize the apps from the family as harmful as they need to analyze every single layer before they reach the malicious part of the code. Also, the obfuscation and the anti-analysis techniques used by the PHA could prevent detection by the cyber security systems. In addition to that, Chamois uses special encrypted storage for its configuration files which also needs to be analyzed thoroughly while the other difficulty was the sheer size of the malicious APK that also required deeper understanding.

Android users and advertisers should now no longer worry about Chamois as Google has already added rules in Verify Apps to ensure protection against this threat.