Update The Brain Test mobile malware family has once again been evicted from Google Play.
Known for piggy-backing on fully functioning mobile applications, the malware’s various iterations try to root Android devices, download malicious APKs and inflate the Google Play ratings of other apps written by the same group of Chinese developers.
Worse yet is Brain Test’s ability to continually skirt protections such as Google Verify Apps (the former Bouncer) standing up the security of Google’s marketplace. For example, the most recent run of 13 apps removed by Google included one game called Cake Tower and had been downloaded between 10,000 and 50,000 times, according to Google. This is alongside other older samples that had been downloaded at least a half-million times.
Researchers at Lookout, a mobile security company, said it had been watching for Brain Test activity since a September report by Check Point Software Technologies exposed the malware’s activities.
“It seems likely that over two-to-three months, the malware authors used different names, games, and techniques to see what apps they could publish in Play while flying under the radar,” Lookout said in a report published today. “Then, just before Christmas, a game called Cake Tower received an update [Dec. 23]. The update turned on functionality similar to the initial versions of Brain Test and included a new command and control (C2) server, which was the smoking gun we needed to tie together the apps.”
Lookout also provided Threatpost was a complete list of the 13 apps that were removed:
- Cake Tower, com.beautiful.caketower
- Drag Box, com.block.dragbox
- Jump Planet, com.galaxy.jumpplanet
- Honey Comb, com.sweet.honeycomb
- Crazy Block, com.crazy.block
- Piggy Jump, com.stupid.piggyjump
- Hit Planet, com.smile.hitplanet
- Ninja Hook, com.sunshine.ninja
- Just Fire, com.tomtom.justfire
- Eat Bubble, com.fine.eatbubble
- Crazy Jelly, com.crazy.sugar
- Tiny Puzzle, com.dot.tinypuzzle
- Cake Blast, com.zhtt.cakeblast
Older Brain Test variants were adept at rooting Android devices while opening a backdoor connection to a command and control server. The rootkit includes persistence routines that resist removal short of re-flashing ROM on the device.
“It appears the primary goal of the malware is to download and install additional APKs as directed by the command-and-control server,” Lookout said. “The developers also used infected devices to download other malicious applications they had submitted to the Play Store, which would inflate the number of downloads each application received.”
Check Point’s original report on the malware offered at theory as to how it was beating Google Verify Apps and other defenses that make it tough to slip malicious apps onto Google Play. For example, Check Point said that the malware performs a check against a number of IP address ranges to determine whether it’s executed on a Google server. If so, the app will not execute, Check Point said.
“They used a combination of techniques, including detecting whether or not it was being run in an emulated environment and waiting for instructions from the command-and-control server before executing malicious functionality,” said Chris Dehganpoor, senior security analyst at Lookout. “Additionally, much of the malicious code was stored in an encrypted asset, which likely aided it’s evasion.”
Lookout also said that the malware’s primary function was to sell guaranteed application installations, its flexible design could allow the developers to leverage compromised Android devices for more harmful purposes.
“Like many of the aggressive adware families we’ve seen on Android recently (Shedun, ShiftyBug, Shuanet), Brain Test’s intent primarily appears to be monetization through guaranteed application installs and it does not currently appear that they’re interested in a users personal data,”Dehganpoor said. “However, because of the way the malware was authored, the developers could potentially enable functionality in the future that would allow them to exfiltrate user data.”
This article was updated Jan. 7 with additional comments from Lookout.