Nasty mobile malware found infecting Android devices in September 2015 via Google Play has made a comeback, security firm Lookout reports.
When first discovered in September by Check Point, the “Brain Test” malware was disguised in the form of a game application and was suspected to have infected over 1 million devices. The game appeared in the official app store twice and was removed on Aug. 24 and Sept. 15, respectively, with each instance registering between 100,000 and 500,000 installs.
Lookout noticed that the Brain Test malware has returned to Google Play on Dec. 29, when a total of 13 samples were identified, all written by the same developer. All of these apps were quikcly removed from the marketplace, but they did manage to gather high ratings and hundreds of thousands of downloads before being pulled.
According to a blog post authored by Lookout’s Chris Dehghanpoor, the malware itself was found to be responsible for the high ratings that the offending applications had in Google Play, as well as for the large number of downloads. Moreover, he explains that some of the observed samples attempted to root the infected devices and that they persist factory resets and other removal attempts.
Apparently, ever since Brain Test was initially removed from the official store, the malware authors have been working on finding different manners in which they can circumvent the Google Play screening process. For that, they pushed legitimate games and apps to the store, and also tried other techniques to publish apps in the marketplace while avoiding detection.
In late December, one of these games, namely Cake Tower, received an update that enabled functionality similar to that of the original Brain Test, while also adding a new command and control (C2) server. The security firm was then able to conclude that some of the compromising apps are fully-functional games and that many are indeed fun to play, which explains their high rating.
However, these apps were also designed use compromised devices to download malicious apps in Google Play and to positively rate them, which helps authors increase the download figures of their apps. Additionally, the apps check whether root is present on the device and, if it is there, they copy a set of files to the /system partition to ensure persistence.
Because of its behavior, Brain Test cannot be removed from compromised devices even if the user attempts a factory reset. The files copied to the /system partition remain untouched during the process, and the malware persists unless users re-flash the infected smartphone or tablet with a ROM supplied by the device’s manufacturer.
The first new malicious sample was spotted in Google Play on December 23, when Cake Tower received an update, exhibiting behavior similar to the previously spotted Brain Test samples. After installation and initial launch, the application starts a watchdog executable designed to report to the C2 server when it has been uninstalled.
It also decrypts a malicious APK that is used for persistence located at ‘assets/res/drawable/pw.png’ and copies it to ‘/data/data/com.beautiful.caketower/app_cache’ with a randomly generated filename, Lookout said. Moreover, it writes a small shell script to ‘/data/data/com.beautiful.caketower/app_cache’, which is executed if the device is rooted.
After this routine is complete, a series of background services continue to check-in with the C2 server, and the sample can download additional configuration parameters and execute arbitrary commands as root. It can also dynamically load and execute additional Java code, the security firm says.
According to Lookout, the main goal of this malware is to download and install additional APKs and other malicious applications that have been submitted to Google Play, to inflate the number of downloads each application received. Moreover, the malware allows developers to post positive reviews in Google Play using the compromised devices (the Google Play page of Cake Tower, which had between 10,000 and 50,000, displayed a 4.5 average rating and 23,175 reviews).
Lookout suggests that Brain Test’s primary motive is to sell guaranteed application installs, but that it has a flexible design that can be used for other nefarious purposes as well. To achieve its goal, this type malware relies on compromising a large number of devices and then pushing the installs to those devices, a tactic observed for many years on desktop computers.
In this particular situation, the delivery mechanism was different, as the malware infiltrated a mainstream app store and managed to obtain hundreds of thousands of downloads and high rating before being removed. A list of infected apps (already removed by Google) includes Cake Blast, Jump Planet, Honey Comb, Crazy Block, Crazy Jelly, Tiny Puzzle, Ninja Hook, Piggy Jump, Just Fire, Eat Bubble, Hit Planet, and Drag Box.
"The Brain Test malware was able to detect when it was under review by Google Play vs. when it was running on a user's device. This detection mechanism likely allowed it easier passage through the app review process since it didn't exhibit any malicious behavior when under review,” Bluebox Security’s Andrew Blaich told SecurityWeek.
Blaich reminded of the importance for Android users to disable "Unknown Sources" and also to enable "verify apps."
“If Android user's do suspect that they have an infected app, they should remove it, if they haven't already been asked to do so. If the device was rooted and an app was infected, then the affected user should consult the advisory as they'll need to take special pre-cautions to fully remove the malware," Blaich said.