Check Point researchers found sophisticated new malware on Google Play which has infected between 200,000 and 1 million users. The malware is packaged within an Android game app called BrainTest, which was published to Google Play twice. Each instance had between 100,000 and 500,000 downloads according to Google Play statistics.
The malware is described as having a new level of sophistication as it uses multiple, advanced techniques to avoid Google Play malware detection, and to be persistent on target devices. The malware was first detected on a Nexus 5 smartphone, and even though the user attempted to remove the infected app, the malware reappeared on the same device shortly after.
The malware establishes a rootkit on the device, allowing it to download and execute any code a cybercriminal might want to run – for example, displaying unwanted advertisements, or potentially, downloading and deploying a payload that steals credentials from an infected device.
The malwares creators used multiple methods to evade detection by Google, including bypassing Googles Bouncer Android defence tool which scans submitted apps in the Play store. It detects if the malware is being run from an IP or domain mapped to Google Bouncer and, if so, it will not perform its intended malicious activities. An obfuscation tool was also used to disguise the malware so it could be re-uploaded to Google Play after the first instance was removed.
The malware uses privilege escalation exploits to gain root access on a device and to install persistent malware as a system application, with an anti-uninstall watchdog using two system applications to monitor the removal of one of the components and then reinstall the component.
After the first instance of BrainTest was detected, Google removed the app from Google Play on August 24 2015. Within days, the Check Point research team detected another instance with a different package name but which uses the same code. The malwares creators had used obfuscation to upload the new piece of malware to Google Play. Check Point notified Google on September 10 and the app containing the malware was removed from Play on September 15.
Check Point recommends that users employ up to date anti-malware software that is capable to identify the threat. If the threat reappears on the device after the first installation, it means that the malware managed to install the persistency module, in which case the device should be re-flashed with a new version of the official ROM.