In March 2017, the Android security team was feeling pleased with itself. The group had detected, analyzed, and neutralized a sophisticated botnet built on tainted apps that all worked together to power ad and SMS fraud. Dubbed Chamois, the malware family had already cropped up in 2016 and was being distributed both through Google Play and third-party app stores. So the Android team started aggressively flagging and helping to uninstall Chamois until they were sure it was dead.

Eight months later, though, in November 2017, Chamois roared back into the Android ecosystem, more ferocious than before. By March 2018, a year after Google thought it had been vanquished, Chamois hit an all-time high, infecting 20.8 million devices. Now, a year after that zenith, the Android team has whittled that number back down to fewer than 2 million infections. And at the Kaspersky Security Analyst Summit in Singapore this week, Android security engineer Maddie Stone is presenting a full post-mortem on how Google fought back against Chamois—again—and how personal the rivalry became.

"I actually gave a talk at Black Hat last year on what’s called 'stage three' of Chamois," Stone told WIRED ahead of her talk. "And within 72 hours of me giving that talk, they started trying to change the bytes and each of the indicators I talked about. We could see them manipulating it. The Chamois developers also fingerprinted our exact Android security analysis environment and built in protections for some of the customizations that we use."

Back With a Vengeance

After the March 2018 infection peak, the Android security team started collaborating with other defenders across Google, like anti-abuse and ad security specialists and software engineers, to get a handle on the new version of Chamois. The first two variants the team tracked in 2016 and 2017 infected devices in four stages to organize and mask the attack. The 2018 version, though, contained six stages, antivirus testing engines, and even more sophisticated anti-analysis and anti-debugging shields to avoid discovery. Malware developers build these features into their code so it can detect when it is running in a testing environment—like the Android security analysis environment—and react by attempting to hide its malicious functionality.

The Chamois malware, like most types of botnets, receives commands remotely from a "command and control" server that coordinates infected devices to work on specific tasks. All the iterations of Chamois have focused on serving malicious ads and driving premium SMS scams.

When you donate money to a charity or pay for a digital service via text, you're sending that message to a premium phone number. Premium SMS fraud tricks you into sending that money to cybercriminals instead. Android has offered protections against this type of scam since 2014, requiring explicit permission to text a premium number. But the Chamois malware first checked whether the devices it infected were rooted, and, if so, it took advantage of this expanded functionality to surreptitiously disable premium SMS warnings.

A victim of Chamois premium SMS fraud would discover the attack as soon as they got their mobile bill, but Stone says that the malware's ad fraud payloads would have run silently in the background of infected devices, spewing malicious ads to the world without the owner of the infected phone realizing. In 2016 and 2017, the attackers snuck benign-looking apps tainted with Chamois into the Google Play Store as part of their distribution strategy. But as Google became increasingly adept at spotting and blocking these interlopers, the attackers were forced to diversify.

“A lot of the discussion before has been that with Android malware there’s a lot of low-hanging fruit,” Stone says. “But Chamois shows the sophistication you have to get to now as an attacker to be successful. It is a well-engineered piece of code, I have to give them that, but it’s also scary that that’s where the malware is at this point."