Within the past month, malware disguised as an Android game twice made its way into the Google Play store and each time had between 100,000 and 500,000 downloads – making for a potential total infection rate of one million users.
The threat is a working game called Brain Test and it was identified by researchers with Check Point.
Currently it has only been observed pushing advertisements, but the malware is quite advanced – it uses tricks to bypass app vetting system Google Bouncer, it uses privilege escalation exploits to gain root access on the device, and it takes steps to maintain persistency so it cannot easily be deleted.
Even the way it pushes ads is aggressive since they can appear on any screen at any time, Avi Bashan, technology leader at Check Point, told SCMagazine.com, noting that the malware has a sophisticated framework that is only a few tweaks away from being able to practically take over a device.
Bashan said that the first version of Brain Test went into the Google Play store at an unknown date and was taken down on Aug. 24, and the second version went up on Sept. 10 and was taken down by Google on Sept. 15. The app, he added, does not ask for permissions or do anything glaring that would tip the user off that it is malicious.
Those who downloaded it will have to re-flash their device with an official ROM, a Monday post indicated. Bashan said this is because “additional apps are used in order to preserve persistency on the device, so even if the user tries to delete the Brain Test app, the other app will reinstall the Brain Test app again without user confirmation.”
Bashan noted that the author of Brain Test showed additional sophistication when uploading the app to the Google Play store a second time. He explained how the developer used a tool made by Baidu – called Packer – that obfuscates code and hinders analysis and reverse engineering efforts.
Meanwhile, the creator of Brain Test is not the only individual writing persistent malware for Android devices.
Researchers with Cheetah Mobile recently identified 39 apps – not in the Google Play store – that are infected with a “virus” identified as ‘Ghost Push.’ These apps gain root access to devices and download apps that – similar to Brain Test – cannot easily be removed.
“Disguised as legitimate applications, malware which contains ‘Ghost Push’ could spread itself widely via commercial SDK or browser ads,” a Friday post said.
Cheetah Mobile said in the post that it observed 600,000 Android users being affected within a single day, and that the threat is predominately spreading throughout Europe, Russia, the Middle East region and Southern China.