Google found a large number of hidden adware apps on Android devices

Google reports that it has identified a “fraud botnet” of malicious adware targeting Android devices. It is an adware family that Google has named Chamois and which took measures to avoid being noticed.

Google reports that it came across Chamois during a routine check. This concerns a so-called potentially harmful applications, or pha. According to the search giant, Chamois was “one of the biggest Android phas to date to be spread across multiple channels.” The purpose of the adware was to generate traffic via pop-ups and install other apps in the background. In addition, the software was able to download additional plug-ins and send text messages to paid numbers.

The apps within the Chamois family took several measures to not stand out. For example, it was not visible to the user that such an app was installed on the system. In addition, the software executed its code in four different steps to hide malicious parts of the code. Before that, Chamois used obfuscation techniques and stored configuration files in an encrypted storage.

In total, Chamois contained over 100,000 lines of code and appeared to be written by professional developers. Google says that Android’s Verify Apps feature contributed to the adware’s removal. For example, the function assigns a so-called doi score to apps, which shows whether it poses a possible risk to users. Google did not disclose how many apps were part of the Chamois family.

It is unknown how Chamois got on Android devices. Since the apps were removed via Verify Apps, it is known that devices with this adware have Google Play Store on board. However, the apps may also have ended up on the devices via an alternative download store or sideloading.

Different steps of Chamois adware