BrainTest - a new level of mobile malware advancement

Malicious software hidden in an Android game called BrainTest was published on Google Play twice. Each instance had 100,000 to 500,000 downloads based on Google Play statistics, thus infecting between 200,000 and 1 million devices. Check Point contacted Google on September 10, 2015, as a result of which the application was removed from the store on September 15, 2015. Unfortunately, not for long.

The Check Point Mobile Threat Prevention tool detected two variants of the new mobile malware on several devices among the company's clients. Malicious software (malware) was first detected on the Nexus 5 smartphone and even though the user tried to remove the application, it appeared again on the device soon after. Analysis of this malware suggests that it uses many advanced techniques to avoid detection by Google Play and remain on installed devices.

Once the suspicious application was detected on the device, the Mobile Threat Prevention software adapted the security strategies in the mobile device management panel (MobileIron) remotely configuring the infected devices so that they do not have access to the business data.

Although the application is able to perform many tasks ordered by cybercriminals, the Check Point team observed that it installs additional applications on infected devices. What's worse, malware installs a rootkit that allows you to download and run arbitrary code on your device. For example, it can be used to display unwanted annoying ads on the device or to download a program that captures logins and passwords.

The most important information

1. Samples of suspicious code found in the BrainTest application on Google Play. His author has used many ways to avoid being detected by Google, including:

  • Avoiding Google Bouncer by detecting whether the software is run from an IP address belonging to the range used by Google Bouncer and not performing any suspicious activity in such a case.
  • The combination of time bombs, dynamic code loading and reflection to hinder reverse engineering of the code.
  • The use of the latest code badge (packer) from Baidu to re-launch the application to Google Play after its first removal on August 24th.

2. BrainTest uses four exploits to raise the level of privileges, which allows you to install malware as a system application.

3. BrainTest uses an anti-uninstallation guard, which uses two system applications to reinstall the application if it is removed.

After the first detection of BrainTest, Google removed the application from Google Play. Within days, a team of Check Point researchers detected another instance under a different package name but using the same code. Malware authors have used obfuscation to upload a new version of malware on Google Play. Apps, however, are still in the Google Play store.

Technical details are available at:

source: Check Point

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.