Up until now malware on an Android device has mostly been relegated to users downloading and installing apps from unknown sources. Google has had some issues with malicious apps on the Google Play store in the past but recently they’ve maintained a pretty good system for detecting and preventing any apps with malware from appearing on their Play Store. That, however, has changed with a new type of sneaky malware that could have infected almost 1 million devices.
Brain Test, a mobile game, was removed from the Play Store twice with 100,000 to 500,000 downloads each time it was up. According to Check Point it is currently not carrying out any cyber-criminal goals but they did confirm that the app will install other apps onto the phone without the authorization of the user.
Disturbingly, the malware establishes a rootkit on the device, allowing it to download and execute any code a cybercriminal would want to run on a device. For example, it could be used to display unwanted and annoying advertisements on a device, or potentially, to download and deploy a payload that steals credentials from an infected device.
The malware consists of two applications to infect your phone. The main package, Brain Test, will download an exploit from their server to root the device in the background. Once rooted it will download a second malware app which will download and run code from their server that does not require the consent of the user. It is bypassing Google’s malware detector, Bouncer, by checking to see if the IP or domain is mapped to Google Bouncer. If so, the activity will bypass until it checks again and is in the clear.
Once the second app is installed there is a fail safe if one or the other is deleted. If it detects that one of the pair of apps is removed from the device the other one will simply redownload and install the missing counterpart to continue the cycle. The only remedy so far seems to be flashing the phone with a stock ROM to get rid of the infected packages.
The goal of this malware seems to be to overlay advertisements on your device randomly without having to open anything or trigger anything at all on your end. It is set on a timer to where it will just display them when the timer says to.
This malware, although quite annoying, doesn’t sound too malicious compared to what it could be doing. Just being equipped to display ads is a nuisance but it could be programmed to steal credentials or other information from an infected device. Hopefully Google will come up with a way to detect this new type of threat in apps to continue keeping the Play Store a safe place to download apps.