Click to Skip Ad
Closing in...

How Android defeated ‘the biggest botnet you’ve never heard of’

Published Apr 11th, 2019 1:16PM EDT
android chamois
Image: Google

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Speaking this week at the Kaspersky Security Analyst Summit in Singapore, Android security engineer Maddie Stone shed new light on the years-long battle between Google’s mobile operating system and a particularly nasty malware known as Chamois. As Decipher reports, beating the botnet was far from easy.

Chamois, which at its peak infected nearly 21 million Android devices, is incredibly sophisticated and dangerous, bleeding users of cash and information without them even realizing it. The battle to halt its spread has led to new Android security features and, after nearly three years, Google finally has the upper hand.

In any debate between iOS and Android devotees, security is bound to come up sooner or later. Apple’s “walled garden” approach is excellent at preventing a lot of nasty malware and scams from infiltrating its mobile operating system, but it’s also very rigid. Android is more open, for better and for worse.

There’s a lot of things you’re not allowed to do on iOS that you can easily accomplish with an Android device. The downside is that with more freedom comes more ways for bad actors to exploit potential vulnerabilities using cleverly-disguised apps. That’s exactly how Chamois got its foothold on Android in 2016, and as Google started to catch on, new versions of Chamois began to spread across millions and millions of devices.

In 2017, Google thought it won the battle, announcing that Chamois had been beaten. The malware developers were listening, however, and quickly developed a new version of Chamois that began spreading in early 2018. A fourth version followed shortly thereafter, and by March of 2018 some 20.8 million devices were infected.

The malware received commands from “command-and-control” servers, turning millions of Android devices into a botnet to spam users with ads and scams. The malware was distributed in a number of ways, both within apps and via legitimate-seeming ad services. According to Stone, Google has detected over 27,000 different app packages that contained Chamois.

Slowly but surely, Android’s security team began to gain ground, patching up exploits and then patching the new exploits that the Chamois developers were using as backups. Google Play Protect, which monitors apps and hunts for malware and other nasty surprises, is more efficient at detecting Chamois variants than ever, and the number of devices in the Chamois botnet has decreased by 91 percent.

Stone says the team is in “maintenance and monitoring” mode, keeping an eye out for new versions of Chamois as it continues to whittle away at the remaining infected devices. Going forward, it’ll be interesting to see whether Chamois makes a comeback or if Google has won the battle and the war.

More Tech