Fraudsters and cybercriminals continue to target mobile app stores with garbage apps disguised as benign ones, and Google has just identified a large family of potentially harmful apps in the Play marketplace and banned the apps and some people who were trying to take advantage of the company’s ad system to make money on the apps.
Google has identified the family of PHAs as Chamois and said that it caught them through the use of traffic analysis, which determined that the apps were trying to evade the company’s security systems. The goal behind the apps appears to have been ad fraud, and the developers employed a few different techniques to get around Google’s detection and prevention systems.
“Our previous experience with ad fraud apps like this one enabled our teams to swiftly take action to protect both our advertisers and Android users. Because the malicious app didn’t appear in the device’s app list, most users wouldn’t have seen or known to uninstall the unwanted app.”
Google has a complex scoring system for potentially harmful apps, which includes the company’s Verify Apps system that checks Android devices for apps that could be malicious or exhibiting other unwanted behavior. In the case of Chamois, the apps had a multi-stage payload structure that included a custom encrypted storage area for configuration files and some other code. Google’s engineers said their team had to look through more than 100,000 lines of code to figure out exactly what the Chamois-related apps were up to.
The company didn’t specify how many apps were related to the Chamois family.