The Brain Test mobile malware family has once again been evicted from Google Play.
Known for piggy-backing on fully functioning mobile applications, the malware’s various iterations try to root Android devices, download malicious APKs and inflate the Google Play ratings of other apps written by the same group of Chinese developers.
Worse yet is Brain Test’s ability to continually skirt protections such as Google Verify Apps (the former Bouncer) standing up the security of Google’s marketplace. For example, the most recent run of 13 apps removed by Google included one game called Cake Tower and had been downloaded between 10,000 and 50,000 times, according to Google. This is alongside other older samples that had been downloaded at least a half-million times.
“It seems likely that over two-to-three months, the malware authors used different names, games, and techniques to see what apps they could publish in Play while flying under the radar,” Lookout said in a report published today. “Then, just before Christmas, a game called Cake Tower received an update [Dec. 23]. The update turned on functionality similar to the initial versions of Brain Test and included a new command and control (C2) server, which was the smoking gun we needed to tie together the apps.”
Older Brain Test variants were adept at rooting Android devices while opening a backdoor connection to a command and control server. The rootkit includes persistence routines that resist removal short of re-flashing ROM on the device.
“It appears the primary goal of the malware is to download and install additional APKs as directed by the command-and-control server,” Lookout said. “The developers also used infected devices to download other malicious applications they had submitted to the Play Store, which would inflate the number of downloads each application received.”
Check Point’s original report on the malware offered at theory as to how it was beating Google Verify Apps and other defenses that make it tough to slip malicious apps onto Google Play. For example, Check Point said that the malware performs a check against a number of IP address ranges to determine whether it’s executed on a Google server. If so, the app will not execute, Check Point said.
“While the malware’s primary motive is likely selling guaranteed application-installs, its flexible design could allow the developers to utilize infected devices for more nefarious purposes if they desired,” Lookout said today.
Provided from: Techcrunch.