{
	"id": "e3597c62-a5b1-46e6-ad5b-dbde9bc33343",
	"created_at": "2026-04-06T00:07:08.990161Z",
	"updated_at": "2026-04-10T13:12:04.071335Z",
	"deleted_at": null,
	"sha1_hash": "060b82bfdd1a54f53b039e65445575f461db5199",
	"title": "Detecting and eliminating Chamois, a fraud botnet on Android",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 448855,
	"plain_text": "Detecting and eliminating Chamois, a fraud botnet on Android\r\nArchived: 2026-04-05 20:11:45 UTC\r\nPosted by Security Software Engineers—Bernhard Grill, Megan Ruthven, and Xin Zhao\r\nGoogle works hard to protect users across a variety of devices and environments. Part of this work involves\r\ndefending users against Potentially Harmful Applications (PHAs), an effort that gives us the opportunity to\r\nobserve various types of threats targeting our ecosystem. For example, our security teams recently discovered and\r\ndefended users of our ads and Android systems against a new PHA family we've named Chamois.\r\nChamois is an Android PHA family capable of:\r\nGenerating invalid traffic through ad pop ups having deceptive graphics inside the ad\r\nPerforming artificial app promotion by automatically installing apps in the background\r\nPerforming telephony fraud by sending premium text messages\r\nDownloading and executing additional plugins\r\nInterference with the ads ecosystem\r\nhttps://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html\r\nPage 1 of 3\n\nWe detected Chamois during a routine ad traffic quality evaluation. We analyzed malicious apps based on\r\nChamois, and found that they employed several methods to avoid detection and tried to trick users into clicking\r\nads by displaying deceptive graphics. This sometimes resulted in downloading of other apps that commit SMS\r\nfraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying\r\nto game our ad systems.\r\nOur previous experience with ad fraud apps like this one enabled our teams to swiftly take action to protect both\r\nour advertisers and Android users. Because the malicious app didn't appear in the device's app list, most users\r\nwouldn't have seen or known to uninstall the unwanted app. This is why Google's Verify Apps is so valuable, as it\r\nhelps users discover PHAs and delete them.\r\nUnder Chamois's hood\r\nChamois was one of the largest PHA families seen on Android to date and distributed through multiple channels.\r\nTo the best of our knowledge Google is the first to publicly identify and track Chamois.\r\nChamois had a number of features that made it unusual, including:\r\nMulti-staged payload: Its code is executed in 4 distinct stages using different file formats, as outlined in\r\nthis diagram.\r\nThis multi-stage process makes it more complicated to immediately identify apps in this family as a PHA because\r\nthe layers have to be peeled first to reach the malicious part. However, Google's pipelines weren't tricked as they\r\nare designed to tackle these scenarios properly.\r\nSelf-protection: Chamois tried to evade detection using obfuscation and anti-analysis techniques, but our\r\nsystems were able to counter them and detect the apps accordingly.\r\nCustom encrypted storage: The family uses a custom, encrypted file storage for its configuration files and\r\nadditional code that required deeper analysis to understand the PHA.\r\nhttps://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html\r\nPage 2 of 3\n\nSize: Our security teams sifted through more than 100K lines of sophisticated code written by seemingly\r\nprofessional developers. Due to the sheer size of the APK, it took some time to understand Chamois in\r\ndetail.\r\nGoogle's approach to fighting PHAs\r\nVerify Apps protects users from known PHAs by warning them when they are downloading an app that is\r\ndetermined to be a PHA, and it also enables users to uninstall the app if it has already been installed. Additionally,\r\nVerify Apps monitors the state of the Android ecosystem for anomalies and investigates the ones that it finds. It\r\nalso helps finding unknown PHAs through behavior analysis on devices. For example, many apps downloaded by\r\nChamois were highly ranked by the DOI scorer. We have implemented rules in Verify Apps to protect users\r\nagainst Chamois.\r\nGoogle continues to significantly invest in its counter-abuse technologies for Android and its ad systems, and\r\nwe're proud of the work that many teams do behind the scenes to fight PHAs like Chamois.\r\nWe hope this summary provides insight into the growing complexity of Android botnets. To learn more about\r\nGoogle's anti-PHA efforts and further ameliorate the risks they pose to users, devices, and ad systems, keep an eye\r\nopen for the upcoming \"Android Security 2016 Year In Review\" report.\r\nSource: https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html\r\nhttps://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html"
	],
	"report_names": [
		"detecting-and-eliminating-chamois-fraud.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434028,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/060b82bfdd1a54f53b039e65445575f461db5199.pdf",
		"text": "https://archive.orkl.eu/060b82bfdd1a54f53b039e65445575f461db5199.txt",
		"img": "https://archive.orkl.eu/060b82bfdd1a54f53b039e65445575f461db5199.jpg"
	}
}