Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Android Malware Possibly Infects 1 Million Devices via Google Play

A new malicious Android application has been discovered in Google Play, disguised as a game application called BrainTest, which could potentially have been installed on up to one million devices, according to Check Point.

A new malicious Android application has been discovered in Google Play, disguised as a game application called BrainTest, which could potentially have been installed on up to one million devices, according to Check Point.

In a blog post, Check Point researchers explained that the malicious application was published in Google Play twice and was removed on August 24 for the first time, and on September 15 for the second time.

According to Google’s statistics, each instance of the application has seen between 100,000 and 500,000 installs.

The app uses multiple techniques to avoid Google Play malware detection and to maintain persistency on infected devices, can allow cybercriminals achieve various goals, and establishes a rootkit on devices, which allows it to download and execute any code, Check Point said.

Check Point explains that the application detects whether it is run from an IP or domain mapped to Google Bouncer and does not perform malicious activities if this is true. Moreover, it combines timebombs, dynamic code loading, and reflection to make reverse engineering difficult, while also using off-the-shelf obfuscation (packer) from Baidu for the instance that was re-published in September.

Additionally, the application uses four privilege escalation exploits that allow it to gain root access and to install a persistent malware as a system application. It also uses an anti-uninstall watchdog with two system applications that monitor the removal of components to reinstall them.

The only effective method to remove the malware is to re-flash the device with an official ROM, Check Point said.

The malware includes two applications, namely a dropper, Brain Test (Unpacked – com.mile.brain, Packed – com.zmhitlte.brain), which is installed from Google Play, and a backdoor, which is downloaded by the first application and which is a system malware consisting of two apps (mcpef.apk and brother.apk) that monitor each other and which download and execute code without user consent.

The Google Play application includes an encrypted java archive “start.ogg” that creates a decrypted file that sends a request to a server with the device’s configuration. The server’s response includes a link to a “jhfrte.jar” file, which checks for root, downloads an exploit to obtain root, and downloads a second file from the server, “mcpef.apk”, which is installed as a system app.

mcpef.apk downloads a secondary application from the server, “brother.apk”, checks the system to verify whether this app has been removed, and automatically reinstalls it. brother.apk has similar functionality as mcpef.apk and reinstalls the latter if it has been removed. It also monitors the system to verify whether the package is removed.

“If Google Bouncer was not detected, the application starts a time bomb which initiates the malicious flow only after 20 seconds and will run every 2 hours. The time bomb triggers unpacker thread. Unpacker thread decrypt java archive from assets directory “start.ogg”, and dynamically loads it and calls the method “a.a.a.b” from this archive,” Check Point’s Andrey Polkovnichenko and Alon Boxiner explain.

The app launches the malicious procedures only eight hours after the first run, they said.

Only a few weeks ago, Bitdefender found CAPCHA-bypassing malware in several applications in Google Play, another example of a malicious actor avoiding Google Bouncer detection. Although Google said earlier this year that the rate of potentially harmful applications installed halved this year, Android malware continues to spread via Google Play, third party markets and forums and torrents.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.