Malicious applications have been sneaking into Google Play Store and affecting users’ devices. Just recently, the mobile security firm Lookout has reported 13 compromised applications located in the Store. Respectively, Google has removed them. However, Lookout’s researchers have made a troublesome discovery – the developers of the Brain Test malware have returned.
BrainTest Malware Timeline
When Check Point researchers analyzed Brain Test back in September 2015, they concluded that the malware had reached a new level of sophistication. Brain Test then became one of the biggest threats on the mobile malware market.
The first appearance of Brain Test followed a similar scenario as with the recently deleted 13 Google Play apps. The malware was included in an Android game called Brain Test and was published twice on Google Play. Statistics revealed that each instance was downloaded between 100,000 and 500,000 times. Hence, the infection span of the malware reached the horrid number of 200,000 to 1 million users. Once Check Point researchers discovered the malware now dubbed Brain Test, they contacted Google Play.
However, the malware authors didn’t waste much time. In October 2015, new instances of Brain Test, similar to the initial ones, were discovered by Lookout. The bad news? Some of the newly discovered apps had hundreds of thousands of downloads and, even worse, at least a four-star average review score. The high scores of the apps were an indication of a good experience with the app.
The conclusion was easy to make – the developers of Brain Test malware successfully entered Google Play by using a somehow legitimate game. During those discoveries, Lookout researchers were still not sure who the developers of the malware were. Just before Christmas, the Cake Tower game received an update about a functionality similar to the first versions of Brain Test that partially gave away the malware origin. A new command and control server was also discovered which confirmed who the developers were.
This is what Chris Dehghanpoor from Lookout mobile security firm has said:
“Some [apps] are highly rated because they are fun to play. Mischievously, though, the apps are capable of using compromised devices to download and positively review other malicious apps in the Play Store by the same authors. This helps increase the download figures in the Play Store. Specifically, it attempts to detect if a device is rooted, and if so, copies several files to the system partition in an effort to ensure persistence, even after a complete factory reset.”
Some of applications removed from Google Play included Cake Tower, Cake Blast, Eat Bubble, Honey Comb, Crazy Jelly, Crazy Block, and Tiny Puzzle.
What Do Brain Test Malware Strains Do?
As pointed out by Lookout, after the initial persistence routine is finalized, several background services continuously check in with the command-and-control servers. As with the initial Brain Test versions, the latest variant is also programmed to download additional configuration parameters from the command-and-control server, execute arbitrary commands as root, and dynamically execute Java code.