Chamois

Chamois is a family of malicious ad fraud applications targeting Android devices. It was discovered in March 2017 after Google engineers were performing a routine ad traffic quality evaluation. The malware tries to trick users into clicking ads by displaying deceptive graphics, sometimes resulting in downloading other apps that executes SMS fraud. It uses several methods for evading detection, including deleting itself from the device’s app list so users won’t locate it to uninstall it. It executes in four stages using different file formats, making it more difficult to immediately identify apps in this family as malicious. It uses obfuscation and anti-analysis techniques, and uses custom, encrypted file storage for its configuration files, requiring deeper analysis to understand this threat.

Reporting

  • March 2017: Google security researchers have blocked the Chamois ad fraud family. Users should scan their device for security threats using the "Verify Apps" tool in their phone's Google Security Settings. (Graham Cluley)

Technical Details

  • Google provides technical analysis of the Chamois malware family, here.