Brain Test

Last updated November 10, 2021

Brain Test was a piece of malware masquerading as an Android app that tested the users IQ.^[1]^[2] Brain Test was discovered by security firm Check Point and was available in the Google Play app store until 15 September 2015.^[1] Check Point described Brain Test as "A new level of sophistication in malware".^[1]

Brain Test was uploaded on two occasions (com.zmhitlte.brain and com.mile.brain), starting in August 2015, both times Google's "Bouncer" failed to detect the malware. After the first removal on 24 August 2015 the software was reintroduced using an obfuscation technique. Tim Erin of Tripwire said the "Bypassing the vetting processes of Apple and Google is the keystone in a mobile malware campaign."

The malware turned out to include a rootkit, the revelation being described as "more cunning than first thought".^[3]

The malware is thought to have been written by Chinese actor, according to Shaulov of Check Point, based on the use of a packing/obfuscation tool from Baidu. Eleven Paths, a Telefonica-owned company, found links to may other pieces of malware, based on the id used to access Umeng, Internet domains accessed by the apps and shared jpg and png images.^[4]

It appears the app was first detected on a Nexus 5 using Check Point's Mobile Threat Prevention System. The fact that the system was unable to remove the malware alerted the software company's researchers that it was an unusual threat.

According to Check Point, it may be necessary to re-flash the ROM on a device if Brain Test has successfully installed a reinstaller in the system directory.

Features

The malware was uploaded in two forms. The packing feature was only present in the second.

Evades detection by Google Bouncer by avoiding malicious behavior on Google servers with IP addresses 209.85.128.0–209.85.255.255, 216.58.192.0–216.58.223.255, 173.194.0.0–173.194.255.255, or 74.125.0.0–74.125.255.255, or domain names "google", "android" or "1e100".
Root exploits. Four exploits to gain root access to the system were included, to account for variations in the kernel and drivers of different manufacturers and Android versions,^[5] which provide alternative paths to root.
External payloads - via command and control system. The system used up to five external servers to provide variable payload, believed to be primarily advertising related.
Packing and time delay. The main downloaded malware portion sits in a sound file, the bootstrap code unpacks this after a time delay.
Dual install and re-install. Two copies of the malware are installed. If one is removed the other re-installs it.

Related Research Articles

Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. By contrast, software that causes unintentional harm due to some deficiency is typically described as a software bug. A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and scareware.

In computing, a Trojan horse is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.

A software development kit (SDK) is a collection of software development tools in one installable package. They facilitate the creation of applications by having a compiler, debugger and perhaps a software framework. They are normally specific to a hardware platform and operating system combination. To create applications with advanced functionalities such as advertisements, push notifications, etc; most application software developers use specific software development kits.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. Android is developed by a consortium of developers known as the Open Handset Alliance and commercially sponsored by Google. It was unveiled in November 2007, with the first commercial Android device, the HTC Dream, being launched in September 2008.

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Rooting is the process of allowing users of the Android mobile operating system to attain privileged control over various Android subsystems. As Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.

Mobile security, or more specifically mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. Of particular concern is the security of personal and business information now stored on smartphones.

The Android Debug Bridge is a programming tool used for debugging devices that are based on Android using a USB or TCP connection. It consists of a client and server on the host PC, where the server connects to the daemon on the Android device. It has been available since 2007 and includes various features, such as a shell and the possibility to make backups. It has seen different security attacks and improvements to mitigate these.

Google Play, also branded as the Google Play Store and formerly Android Market, is a digital distribution service operated and developed by Google. It serves as the official app store for certified devices running on the Android operating system and its derivatives as well as Chrome OS, allowing users to browse and download applications developed with the Android software development kit (SDK) and published through Google. Google Play also serves as a digital media store, offering music, books, movies, and television programs. Content that has been purchased on Google Play Movies & TV and Google Play Books can be accessed on a web browser, and through the Android and iOS apps.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Google Play Services is a proprietary background service and API package for Android devices from Google. When it was introduced in 2012, it provided access to the Google+ APIs and OAuth 2.0. It expanded to cover a variety of Google services, allowing applications to communicate with the services through common means.

WireLurker is a family of malware targeting both macOS and iOS systems. The malware was designed to target users in China that use Apple mobile and desktop devices. The malware was suspected of infecting thousands of Chinese mobile devices. The security firm Palo Alto Networks is credited with uncovering the malware.

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious and unwanted software. The malware appears to have been discovered in September 2015 by the security research lab at Cheetah Mobile, who subsequently developed diagnostic software to determine whether a device has been compromised. As of September 2015, twenty variants were in circulation. Latter day versions employed routines which made them harder to detect and remove.

Shedun is a family of malware software targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 popular Android applications. Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.

GingerMaster is malware that affects Android operating system version 2.3. It was first detected in August 2011.

HummingBad is Android malware, discovered by Check Point in February 2016.

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries. Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.

Karsten Nohl is a German cryptography expert and hacker. His areas of research include Global System for Mobile Communications (GSM) security, radio-frequency identification (RFID) security, and privacy protection.

References

1 2 3 Polkovnichenko, Andrey; Boxiner, Alon (21 September 2015). "BrainTest – A New Level of Sophistication in Mobile Malware" . Retrieved 27 November 2015.
↑ Graham Cluley (23 September 2015). "Malware hits the Google Play Android app store again (and again)".
↑ Cett, Hans (2 November 2015). "Brain Test malware more cunning than 1st thought". GoMo News. Archived from the original on 26 November 2015. Retrieved 27 November 2015.
↑ Detailed coverage at Forbes Chinese Cybercriminals Breached Google Play To Infect 'Up To 1 Million' Androids
↑ Kerner, Sean Michael (21 September 2015). "Malicious Brain Test App Thwarts Google Play Android Security". eweek.com. Retrieved 27 November 2015.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[CheckPoint-1] 1 2 3 Polkovnichenko, Andrey; Boxiner, Alon (21 September 2015). "BrainTest – A New Level of Sophistication in Mobile Malware" . Retrieved 27 November 2015.

[2] Graham Cluley (23 September 2015). "Malware hits the Google Play Android app store again (and again)".

[3] Cett, Hans (2 November 2015). "Brain Test malware more cunning than 1st thought". GoMo News. Archived from the original on 26 November 2015. Retrieved 27 November 2015.

[4] Detailed coverage at Forbes Chinese Cybercriminals Breached Google Play To Infect 'Up To 1 Million' Androids

[5] Kerner, Sean Michael (21 September 2015). "Malicious Brain Test App Thwarts Google Play Android Security". eweek.com. Retrieved 27 November 2015.

[1]

[2]

[3]

[4]

[5]

Brain Test

Contents

Features

See also

Related Research Articles

References

External links