A new malicious Android application has been discovered in Google Play, disguised as a game application called BrainTest, which could potentially have been installed on up to one million devices, according to Check Point.
In a blog post, Check Point researchers explained that the malicious application was published in Google Play twice and was removed on August 24 for the first time, and on September 15 for the second time.
According to Google’s statistics, each instance of the application has seen between 100,000 and 500,000 installs.
The app uses multiple techniques to avoid Google Play malware detection and to maintain persistency on infected devices, can allow cybercriminals achieve various goals, and establishes a rootkit on devices, which allows it to download and execute any code, Check Point said.
Check Point explains that the application detects whether it is run from an IP or domain mapped to Google Bouncer and does not perform malicious activities if this is true. Moreover, it combines timebombs, dynamic code loading, and reflection to make reverse engineering difficult, while also using off-the-shelf obfuscation (packer) from Baidu for the instance that was re-published in September.
Additionally, the application uses four privilege escalation exploits that allow it to gain root access and to install a persistent malware as a system application. It also uses an anti-uninstall watchdog with two system applications that monitor the removal of components to reinstall them.
The only effective method to remove the malware is to re-flash the device with an official ROM, Check Point said.
The malware includes two applications, namely a dropper, Brain Test (Unpacked – com.mile.brain, Packed – com.zmhitlte.brain), which is installed from Google Play, and a backdoor, which is downloaded by the first application and which is a system malware consisting of two apps (mcpef.apk and brother.apk) that monitor each other and which download and execute code without user consent.
The Google Play application includes an encrypted java archive “start.ogg” that creates a decrypted file that sends a request to a server with the device’s configuration. The server’s response includes a link to a “jhfrte.jar” file, which checks for root, downloads an exploit to obtain root, and downloads a second file from the server, “mcpef.apk”, which is installed as a system app.
mcpef.apk downloads a secondary application from the server, “brother.apk”, checks the system to verify whether this app has been removed, and automatically reinstalls it. brother.apk has similar functionality as mcpef.apk and reinstalls the latter if it has been removed. It also monitors the system to verify whether the com.android.music.helper package is removed.
“If Google Bouncer was not detected, the application starts a time bomb which initiates the malicious flow only after 20 seconds and will run every 2 hours. The time bomb triggers unpacker thread. Unpacker thread decrypt java archive from assets directory “start.ogg”, and dynamically loads it and calls the method “a.a.a.b” from this archive,” Check Point’s Andrey Polkovnichenko and Alon Boxiner explain.
The app launches the malicious procedures only eight hours after the first run, they said.
Only a few weeks ago, Bitdefender found CAPCHA-bypassing malware in several applications in Google Play, another example of a malicious actor avoiding Google Bouncer detection. Although Google said earlier this year that the rate of potentially harmful applications installed halved this year, Android malware continues to spread via Google Play, third party markets and forums and torrents.