A nasty family of software with negative effects, Brain Test, has suddenly reappeared. They seemed to have fallen off the radar for some time, but they are back with a vengeance and are believed to have affected at least 13 Android apps on the Play Store, which have each had hundreds of thousands of downloads. Google believes it has identified the problem and has removed all the apps that have been affected by it.
The fault was discovered by software security firm Lookout, who immediately informed the relevant authorities – and Google – about the Brain Test malware comeback.
On December 29 we confirmed our suspicions that additional apps containing Brain Test malware were in Google Play. We found 13 Brain Test samples in total, written by the same developers. We contacted Google, who promptly removed these 13 apps from the Google Play Store.
The 13 apps that were removed from Play Store were Drag Box, Cake Tower, Hit Planet, Eat Bubble, Just Fire, Piggy Jump, Ninja Hook, Tiny Puzzle, Crazy Jelly, Crazy Block, Honey Comb, Jump Planet, and Cake Blast. Those who still have any of these apps on their devices are asked to completely remove them as soon as possible. No replacement is currently available on the Play Store and it is not clear whether the apps will re-appear once they have resolved the infection. It is unlikely that they will, however, as there is some suspicion that they actually belong to the Brain Test family.
Apparently, ever since Brain Test was initially removed from the official store, the malware authors have been working on finding different manners in which they can circumvent the Google Play screening process. For that, they pushed legitimate games and apps to the store, and also tried other techniques to publish apps in the marketplace while avoiding detection.
Once an app that has been infected with Brain Test is installed, it tries to find out whether or not a device is properly rooted. It then copies a number of files to the partition of the system itself. Unfortunately, simply removing the app or even performing a factory reset is not enough to repair the device. This is because performing either action does not actually repair the partition of the system.
How to Resolve the Situation
If you have downloaded one of these apps, it is reasonable to assume you have also be infected with the malware. To resolve the situation, you should start by backing up all the data that you currently hold on your Android device. Once you have done that, you should re-flash stock update, which the manufacturer has released. This is according to Lookout advice.
Currently, the Brain Test malware version has features that are very much like the original version. This was discovered back in September 2015. In that month, Check Point, another cyber security firm, discovered it. They made the revelation in a blog post on their website.
Check Point Mobile Threat Prevention has detected two instances of a mobile malware variant infecting multiple devices within the Check Point customer base. The malware, packaged within an Android game app called BrainTest, had been published to Google Play twice. Each instance had between 100,000 and 500,000 downloads according to Google Play statistics, reaching an aggregated infection rate of between 200,000 and 1 million users.
Check Point immediately reached out to Google when they discovered the fault. As a result, all the malicious apps that were involved with Brain Test were immediately removed. However, it seems that the group of hackers did not throw in the towel, instead working on new versions of their malware.
What Does It Do and What Is the Danger?
The Brain Test malware is designed to install extra APKs after downloading them in secret. These APKs are directed through their C2 software. Those who have developed it then use devices that have been infected in order to download a number of other pieces of malicious software. In so doing, the download numbers of each app are instantly boosted, making it look like a popular app on the Play Store and therefore promoting it to more people.
Additionally, it enables developers to create false positive reviews on the various apps. For instance, com.beautiful.caketower, which is a single sample of Brain Test software, had been installed between 10,000 and 50,000 times. The average rating for the program was 4.5, and it received 23,175 reviews. This is according to the product page of the Cake Tower app on Play Store. Looking at another example, com.sweet.honeycomb, users would see that the app was downloaded between 500,000 and 1,000,000 times. It had also received 79,878 reviews, leading to a 4.5 star rating. The problem is that these results are completely skewed, with it not being clear how many downloads were genuine and whether or not the reviews were also true.
According to Lookout, the authors and developers of the Brain Test malware have been incredibly busy. They believe that they started working on an alternative as soon as they were discovered in September 2015, at which point they started to look for a different way to get their apps in the Play Store. The first app to be believed to have been infected was Cake Tower. Just a few days before Christmas 2015, the app was suddenly updated. Looking at it in greater detail, the update that was included was a functionality that was originally found in the Brain Test app. Secondly, a new C2 (command and control) server was included.
While the first Brain Test did not seem to pose any dangers in terms of identity theft, users are warned to be extra vigilant.
In light of this incident, extra vigilance in your downloads is called for. That’s not to say that every one-off game from pop-up devs are dangerous, but some homework and some trusting of your gut is never a bad idea. You are downloading these apps, after all, to a device that contains your personal information and digital identity.