The previous Irdeto Perspective blog provided several examples of how reverse engineering is employed today; techniques ranged from mild, such as discovering upcoming features, to malicious, such as exploiting backdoors into applications. In this blog, we look at how some software application publishers have defended themselves from reverse engineering by investing heavily and developing their own custom anti-analysis solutions.
Intellectual property protection is a common driver for employing software security, and I recently viewed the presentations by Maddie Stone, a Security Reverse Engineer at Google, about the Chamois botnet malware. Malware, although malicious, is a perfect example of software that the developer wants to protect from reverse engineering. Maddie’s talks at Blackhat 2018 and the Security Analyst Summit in Singapore 2019, provided us with a great case study on developing software protections internally via a dedicated security engineering team.
Chamois was first noticed in 2016 when the malware, and its various descendants, perpetrated multiple forms of fraud, with SMS and advertising fraud being specific examples cited by Maddie in her presentations.
By March 2017, the Google Play security team thought they had put up sufficient safeguards against Chamois and claimed to have defeated it in July of that year. Still, the botnet must have been a lucrative endeavor, because by January 2018, Maddie and one of her teammates in the Google Ad research team both noticed new suspicious applications and ad traffic appearing from Android devices. After some investigation, they concluded that this was an evolution of Chamois. It was back, and it was better than ever and infecting an estimated 20.8 million Android devices at its peak.
Maddie’s presentations provide an easy to grasp step-by-step in-depth overview of the defenses employed by Chamois. I encourage you to view both of her presentations or to review the paper she published on Virus Bulletin if you want to understand all the technical details. What made this botnet so notable (and successful) was the sophistication of its anti-analysis capabilities. For example, every version of the software contained:
- Randomly generated class and file names
- A custom loader with in-place decryption
- Software encryption
- Anti-reverse engineering and debugging capabilities
- More than 37 system property checks including the ability to detect the use of Android emulators
- Encryption communication to/from the head end
All of these features together allowed for the latest botnet software to masquerade successfully within applications that Original Device Manufacturers (ODMs) or Original Equipment Manufacturers (OEMs) would include in pre-installed Android device images. This was one of the key mechanisms that Chamois used to infiltrate such a large number of Android devices.
Clearly given the large and quickly evolving feature set, this malware was the work of a sizable and capable engineering team and wasn’t the work of a single individual toiling away in their basement. To give you an idea of their agility and resourcing, Maddie states that the botnet actors had identified Google’s test environment and started to make modifications to counter it within 72 hours of her first presentation at Blackhat in 2018 and prior to the video being made available online.
The Chamois story is illustrative in many ways. The anti-analysis technology allowed the botnet software to propagate to millions of devices and elude detection by OEMs and ODMs. It demonstrates that anti-reverse engineering technology does make software resistant to an analysis by hackers. But, despite the best efforts of the capable and well-resourced Chamois team, Google’s security team had largely identified and removed this malware from most Android devices within a year. The second part of the story tells us that no anti-analysis solution is perfect, so dedicating an engineering team wholly to this task may not be the best business investment. In the end, you can protect your solution against the majority of hackers out there by employing proven anti-analysis techniques.
Again, I ask you, If I had a million dollars, would I invest an internal security team?
Well, if I had a million dollars, based on the story of Chamois, I’d leave software security to the automatic solutions instead of building my own software security team.