There was a timely reminder from Lookout Security on Wednesday that not everything on official app stores is legitimate software, after the security firm revealed it found 13 apps containing the Brain Test malware on Google Play.
The malware was first spotted by Check Point back in September using a range of privilege escalation exploits to install a rootkit on victim devices to achieve persistence.
Its primary goal is to download and install additional APKs as per the instructions coming from the C&C server, with the ultimate aim of making money for its creator by guaranteeing application installs for eager developers.
“There has been an emergence of entities, primarily originating from China, that have been selling guaranteed application-installs to developers,” explained Lookout senior security analyst, Chris Dehghanpoor.
“In order to facilitate the installs, they rely on compromising a large number of devices and then pushing the installs to those devices. Similar tactics have been around for many years in the PC world, and we’ve seen multiple Android malware families take a similar approach.”
Where Brain Test differs, however, is being able to trick Google into allowing it on the official Play store—in some cases obtaining over 500,000 downloads and average ratings of 4.5.
“The explanation for the apps’ high ratings and hundreds-of-thousands of downloads is the malware itself. First off, some of the apps are fully-functioning games. Some are highly rated because they are fun to play,” said Dehghanpoor.
“Mischievously, though, the apps are capable of using compromised devices to download and positively review other malicious apps in the Play store by the same authors. This helps increase the download figures in the Play Store.”
As such, the malware might be thought of more as a nuisance than a threat to user security or privacy—especially as it will copy files to the /system partition on rooted devices in an effort to ensure persistence even after a factory reset.
However, the design of the malware could make it possible for its developers to use compromised devices for “more nefarious purposes” if desired, Lookout claimed.
Google removed the offending 13 apps from the Play store promptly once notified by the security vendor. But the incident should serve as another shot across the bows that even official stores aren’t immune from malware, although it is relatively rare these days.
Photo © Bloomua