Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Malware Possibly Infects 1 Million Devices via Google Play

A new malicious Android application has been discovered in Google Play, disguised as a game application called BrainTest, which could potentially have been installed on up to one million devices, according to Check Point.

A new malicious Android application has been discovered in Google Play, disguised as a game application called BrainTest, which could potentially have been installed on up to one million devices, according to Check Point.

In a blog post, Check Point researchers explained that the malicious application was published in Google Play twice and was removed on August 24 for the first time, and on September 15 for the second time.

According to Google’s statistics, each instance of the application has seen between 100,000 and 500,000 installs.

The app uses multiple techniques to avoid Google Play malware detection and to maintain persistency on infected devices, can allow cybercriminals achieve various goals, and establishes a rootkit on devices, which allows it to download and execute any code, Check Point said.

Check Point explains that the application detects whether it is run from an IP or domain mapped to Google Bouncer and does not perform malicious activities if this is true. Moreover, it combines timebombs, dynamic code loading, and reflection to make reverse engineering difficult, while also using off-the-shelf obfuscation (packer) from Baidu for the instance that was re-published in September.

Additionally, the application uses four privilege escalation exploits that allow it to gain root access and to install a persistent malware as a system application. It also uses an anti-uninstall watchdog with two system applications that monitor the removal of components to reinstall them.

The only effective method to remove the malware is to re-flash the device with an official ROM, Check Point said.

The malware includes two applications, namely a dropper, Brain Test (Unpacked – com.mile.brain, Packed – com.zmhitlte.brain), which is installed from Google Play, and a backdoor, which is downloaded by the first application and which is a system malware consisting of two apps (mcpef.apk and brother.apk) that monitor each other and which download and execute code without user consent.

Advertisement. Scroll to continue reading.

The Google Play application includes an encrypted java archive “start.ogg” that creates a decrypted file that sends a request to a server with the device’s configuration. The server’s response includes a link to a “jhfrte.jar” file, which checks for root, downloads an exploit to obtain root, and downloads a second file from the server, “mcpef.apk”, which is installed as a system app.

mcpef.apk downloads a secondary application from the server, “brother.apk”, checks the system to verify whether this app has been removed, and automatically reinstalls it. brother.apk has similar functionality as mcpef.apk and reinstalls the latter if it has been removed. It also monitors the system to verify whether the com.android.music.helper package is removed.

“If Google Bouncer was not detected, the application starts a time bomb which initiates the malicious flow only after 20 seconds and will run every 2 hours. The time bomb triggers unpacker thread. Unpacker thread decrypt java archive from assets directory “start.ogg”, and dynamically loads it and calls the method “a.a.a.b” from this archive,” Check Point’s Andrey Polkovnichenko and Alon Boxiner explain.

The app launches the malicious procedures only eight hours after the first run, they said.

Only a few weeks ago, Bitdefender found CAPCHA-bypassing malware in several applications in Google Play, another example of a malicious actor avoiding Google Bouncer detection. Although Google said earlier this year that the rate of potentially harmful applications installed halved this year, Android malware continues to spread via Google Play, third party markets and forums and torrents.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.