Site icon Check Point Blog

BrainTest – A New Level of Sophistication in Mobile Malware

Check Point Mobile Threat Prevention has detected two instances of a mobile malware variant infecting multiple devices within the Check Point customer base.

The malware, packaged within an Android game app called BrainTest, had been published to Google Play twice. Each instance had between 100,000 and 500,000 downloads according to Google Play statistics, reaching an aggregated infection rate of between 200,000 and 1 million users. Check Point reached out to Google on September 10, 2015, and the app containing the malware was removed from Google Play on September 15, 2015.

Overview

The malware was first detected on a Nexus 5 smartphone, and although the user attempted to remove the infected app, the malware reappeared on the same device shortly thereafter. Our analysis of the malware shows it uses multiple, advanced techniques to avoid Google Play malware detection and to maintain persistency on target devices.

Once this malware was detected on a device, Mobile Threat Prevention adjusted security policies on the Mobile Device Management solution (MobileIron) managing the affected devices automatically, thereby blocking enterprise access from the infected devices.

While the malware is capable of facilitating various cyber-criminal goals, our team confirmed it’s currently installing additional apps on infected devices. Disturbingly, the malware establishes a rootkit on the device, allowing it to download and execute any code a cybercriminal would want to run on a device. For example, it could be used to display unwanted and annoying advertisements on a device, or potentially, to download and deploy a payload that steals credentials from an infected device.

Highlights

After the the first instance of BrainTest was detected, Google removed the app from Google Play. Within days, the Check Point research team detected another instance with a different package name but which uses the same code. The malware’s creators had used obfuscation to upload the new piece of malware to Google Play.

Technical Analysis

The malware consists of 2 applications:

  1. The Dropper: Brain Test (Unpacked – com.mile.brain, Packed – com.zmhitlte.brain) This is installed from Google Play and downloads an exploit pack from the server to obtain root access on a device. If root access is obtained, the application downloads a malicious .apk file (The Backdoor) from the server and installs it as system application.
  2. The Backdoor: System malware (mcpef.apk and brother.apk) This tries a few persistence methods by using few anti-uninstall techniques (described below) and downloads and executes code from server without user consent.

Detailed Malware Structure

Application lifecycle

Google Bouncer Bypass

On start, the application checks if it is executed on one of the Google servers:

If any of these conditions is true, the application does not continue to execute the malicious flow. This method is design to bypass the automatic Google Play protection mechanism called Bouncer.

Timebombs, Dynamic Code Loading and Reflection

If Google Bouncer was not detected, the application starts a time bomb which initiates the malicious flow only after 20 seconds and will run every 2 hours. The time bomb triggers unpacker thread. Unpacker thread decrypt java archive from assets directory “start.ogg”, and dynamically loads it and calls the method “a.a.a.b” from this archive.

This method checks if eight hours have passed from the first run of application, and if so, request containing the device’s data to the server. The server sends back encoded json containing URL, class name and method name. Then the application downloads java archive from the URL specified in json, dynamically loads it with class loader API. Once archive is loaded, the application uses reflection api to call methods from the class names specified in the json.

Rooting and Ad Network Presentation

The reflection loaded methods check if the device is rooted. If not, the application downloads a pack of exploits from the server and runs them one-by-one up until root is achieved.

As root, the application copies su binary to /system/bin directory and silently downloads apk file from the server. Then, the APK is installed as system application and registers listener on USER_PRESENT event. This event triggers archive downloading thread. Once the event is triggered, it registers a timer. The timer triggers additional thread which makes a request to the server. It expects a json with url, class and method name. It downloads one more archive and dynamically loads code from it.

The final APK is downloaded from a different URL that is currently down, we assume that the apk purpose is overlaying ads on the screen, we assume this based on the research we have done on the API we found which returns URL of random APK file containing different advertising networks.

Persistency Watch-Dog

The application contains protection against its own removal. As outlined in the diagram above, It installs an additional application with the same functionality and these two applications monitor the removal of each other. If one of the applications is deleted, the second application downloads and re-installs the removed one.

Network activity

BrainTest communicates with five servers:

Counter Measures

Use an up to date anti-malware software that is capable of identifying this threat. 

If the threat reappears on the device after the first installation, it means that the malware managed to install the persistency module in the System directory. In this case, the device should be re-flashed with an official ROM.

Exit mobile version