Anti-virus and security company Lookout is reporting today that they discovered several apps in the Google Play Store that are part of the Brain Test family of malware. Brain Test attempts to gain root privilege on Android devices and can persist even through factory resets or other measures taken by users to remove it once discovered. Google has already removed 13 new apps that were identified in Lookout’s latest efforts.
The tale of Brain Test malware begins back in September 2015 when Checkpoint reported two suspicious apps to Google. After removing those apps, Lookout continued to monitor some apps in the Play Store that appeared to be connected to the developers who were behind Brain Test. For the next 2-3 months, the applications continued to rack up installs and positive reviews in the Play Store as the developers appeared to be testing methods for propagating their code via the Play Store.
Just before Christmas, one of the games called Cake Tower received an update that triggered new functionality. The bad news was that functionality involved code to connect to a command and control server to receive further instructions and payloads. With that change, Lookout says they were able to “connect the dots” and confirm on December 29th that all of the apps were in fact delivery platforms for the Brain Test malware.
One of the goals of Brain Test is to provide positive ratings and installs for other apps produced by the same developers. This not only helped the developers make money off of guaranteed apk install targets being met, it also helped them build an even larger network of compromised devices. While creating guaranteed installs of apps is relatively innocuous, the network could clearly be used for more malicious purposes.
Lookout also determined that Brain Test contains another annoying feature. The malware will copy files to the /system partition if it determines a device is rooted. By doing this, Brain Test is able to survive user’s attempts to reset a device using the Factory Reset option. The only way to effectively remove Brain Test at that point is to reflash a device with a new ROM.
The list below are the most recent apps discovered to be part of the Brain Test malware family:
- Cake Blast
- Jump Planet
- Honey Comb
- Crazy Block
- Crazy Jelly
- Tiny Puzzle
- Ninja Hook
- Piggy Jump
- Just Fire
- Eat Bubble
- Hit Planet
- Cake Tower
- Drag Box
UPDATE @ 11:00AM ET, 1/7/16: As per suggestion, we’re including a list of the app names and their package names because developers with apps of the same name are experiencing mass uninstalls.
The discovery of Brain Test in the Play Store comes shortly after Lookout discovered apps in the Play Store that included code from the FruitSMS malware family. The company is continuing to monitor apps for additional attempts to use the Play Store as a delivery mechanism for malicious code.