Android malware bundled in an intelligence-testing game has been published to the official Google Play Store, not once but twice, claiming hundreds of thousands of victims in the process.
Dodgy versions of a gaming app called BrainTest were able to bypass Google’s security scanning of mobile apps using a range of techniques. Security researchers at Check Point reported that the trojan packed a virtual arsenal of privilege escalation exploits, partly directed towards installing a rootkit on compromised devices.
The trick means that malicious software persists on infected devices even after a user uninstalls the dodgy app. This rootkit functionality meant that malicious code was reinstalled on compromised Android smartphones or tablets.
Cybercrooks used multiple methods to evade detection by Google, including bypassing Google’s "Bouncer" Android defence tool, which scans submitted apps in the Play store.
Malicious functionality detects if the malware is being run from an IP or domain mapped to Google Bouncer and, if so, it will not perform its intended malicious activities. In addition, an obfuscation tool was also used to disguise the malware so it could be re-uploaded to Google Play after the first instance was removed.
The rogue BrainTest app was downloaded between 100,000 and 500,000 times both times it was uploaded, according to Google statistics. This suggests that somewhere between 200,000 and one million users got stung.
Google removed the app from Google Play on 24 August 2015. Within days, the Check Point research team detected another instance with a different package name, but which used the same code. Check Point notified Google on 10 September and the app containing the malware was removed from Play on 15 September.
The attack shows that mobile malware threats are getting steadily more sophisticated, particularly in their ability to bypass current security mechanisms. The attack further illustrated that the comforting notion that downloads from the Play Store are safe is false.
Evidence of malfeasance on Google Play Store follows hot on the heels of reports of apps on the Apple Store being infected with malware. The first large-scale cyberattack against the Apple's iOS store came after hackers tricked developers into downloading and using a spoofed versions of Apple's Xcode developer software.
A write-up of the Google threat – complete with screenshots and flowcharts – can be found in a blog post by Check Point here. ®