More Google Play apps infected with Brain Test malware: Lookout

Google has promptly removed 13 compromised apps from the Google Play Store after mobile cybersecurity firm Lookout found the developers behind the Brain Test strain of malware had returned.

According to Lookout, apps riddled with variants of the Brain Test malware attempt to gain root privilege, and persist factory resets and other efforts to remove it, which Lookout said is especially the case on rooted devices.

The first two Brain Test malware instances were found by Check Point in September; Google removed the compromised apps five days later.

As Chris Dehghanpoor wrote in the company's blog, Lookout then found apps in the Google Play Store in October that were similar to ones found by Check Point.

Several of these lookalike apps, however, had hundreds of thousands of downloads and at least a four-star average review score, which Dehghanpoor said was indicative of a satisfying app experience, not obtrusive adware.

Lookout said it confirmed on December 29 that additional apps containing Brain Test malware -- written by the same developers -- were in Google's Play Store.

By way of innocent apps, like one by the name of Cake Tower, Brain Test developers were able to enter the Google Play Store with a legitimate-enough looking game. Lookout said just before Christmas, however, Cake Tower received an update that turned on functionality similar to the initial versions of Brain Test, and included a new command and control server, which Dehghanpoor said was the smoking gun the security firm needed to tie together the apps.

"Some [apps] are highly rated because they are fun to play," he said.

"Mischievously, though, the apps are capable of using compromised devices to download and positively review other malicious apps in the Play Store by the same authors. This helps increase the download figures in the Play Store. Specifically, it attempts to detect if a device is rooted, and if so, copies several files to the system partition in an effort to ensure persistence, even after a complete factory reset."

According to Lookout, after the initial persistence routine is completed, several background services continue to check in with the command-and-control servers. Like the original Brain Test variants, the current version has the ability to download additional configuration parameters from the command-and-control server, as well as execute arbitrary commands as root or dynamically load and execute additional Java code.

Lookout said that Brain Test's end goal has always been money.

"There has been an emergence of entities, primarily originating from China, that have been selling guaranteed application-installs to developers," Lookout said.

"In order to facilitate the installs, they rely on compromising a large number of devices and then pushing the installs to those devices. Similar tactics have been around for many years in the PC world, and we've seen multiple Android malware families take a similar approach."

The San Francisco-based firm said the behaviour of Brain Test is similar to several other recent malware families, specifically Shedun, ShiftyBug, and Shuanet.

In addition to Cake Tower, Cake Blast, Eat Bubble, Honey Comb, Crazy Jelly, Crazy Block, and Tiny Puzzle were amongst the removed applications.

Whilst a simple factory reset on an infected Android device will not remove the malware, Lookout said the best option for most users would be to re-flash a read-only memory (ROM) supplied by the device's manufacturer. Checking with the device manufacturer for the correct way to do so is advised.

In November, Lookout said auto-rooting apps installed through malicious mobile campaigns was a recent and "worrying" development within Google's Android ecosystem.

The company said that adware was becoming "trojanised", with malicious adware masquerading as legitimate apps in order to load up malicious code and steal consumer data -- after rooting the victim's device to become firmly entrenched in smartphones and tablets.

Lookout discovered over 20,000 apps including the likes of Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Twitter, Snapchat, and WhatsApp swimming around the ecosystem which appear to be legitimate in order to dupe consumers into downloading them from areas other than the Google Play Store.