Within the past month, malware disguised as an Android game twice made its way into the Google Play store and each time had between 100,000 and 500,000 downloads – making for a potential total infection rate of one million users.
The threat is a working game called Brain Test and it was identified by researchers with Check Point.
Currently it has only been observed pushing advertisements, but the malware is quite advanced – it uses tricks to bypass app vetting system Google Bouncer, it uses privilege escalation exploits to gain root access on the device, and it takes steps to maintain persistency so it cannot easily be deleted. Even the way it pushes ads is aggressive since they can appear on any screen at any time, Avi Bashan, technology leader at Check Point, told, noting that the malware has a sophisticated framework that is only a few tweaks away from being able to practically take over a device.
According to Check Point Software Technologies, the Brain Test malware is able to place a rootkit on an infected Android device, enabling an attacker to run arbitrary code. There are multiple security mechanisms in place in Android and the Google Play site to prevent malware from running, yet the BrainTest malware was able to avoid them all using a number of different techniques.
Bashan said that the first version of Brain Test went into the Google Play store at an unknown date and was taken down on Aug. 24, and the second version went up on Sept. 10 and was taken down by Google on Sept. 15. The app, he added, does not ask for permissions or do anything glaring that would tip the user off that it is malicious.
Those who downloaded it will have to re-flash their device with an official ROM. Bashan said this is because “additional apps are used in order to preserve persistency on the device, so even if the user tries to delete the Brain Test app, the other app will reinstall the Brain Test app again without user confirmation.”
Bashan noted that the author of Brain Test showed additional sophistication when uploading the app to the Google Play store a second time. He explained how the developer used a tool made by Baidu – called Packer – that obfuscates code and hinders analysis and reverse engineering efforts. Meanwhile, the creator of Brain Test is not the only individual writing persistent malware for Android devices. Earlier Apple's iOS App Store suffers major attack.
