Google has said that it recently identified and shut down a massive ad fraud Android botnet called Chamois, which may have infected scores of Android devices. Google claimed that the botnet operated stealthily to infect users via the Play Store, without their knowledge, bombarding them with popup ads and automatically installing other apps in the background.

Google security researchers said they chanced upon Chamois "during a routine ad traffic quality evaluation". According to Google, Chamois was "one of the largest" malware families seen on Android and distributed via "multiple channels".

Google security researchers Bernhard Grill, Megan Ruthven and Xin Zhao wrote in a blog post that Chamois "employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics". The researchers added that they blocked the ad fraud botnet and "also kicked out bad actors who were trying to game our ad systems".

Google explained that Chamois' code was executed in four different stages using different file formats. "This multi-stage process makes it more complicated to immediately identify apps in this family as a PHA [Potentially Harmful Applications] because the layers have to be peeled first to reach the malicious part. However, Google's pipelines weren't tricked as they are designed to tackle these scenarios properly," the researchers said.

Chamois was a massive campaign

The Google researchers said Chamois "tried to evade detection using obfuscation and anti-analysis techniques" and that it used a custom encrypted file storage system to configure files and other codes. Google's security teams had to wade through over 100,000 lines of "sophisticated code written by seemingly professional developers". The massive size of the botnet hampered the researchers' ability to quickly understand the technical details of Chamois.

It still remains unclear as to how many devices were infected by the Android malware family before Google took it down. In 2016, the HummingBad malware, which was yet another extensive Android ad fraud campaign, infected over 10 million devices at its peak and netted its operators around $300,000 a month.