Brain Test was a piece of
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
masquerading as an
Android app that tested the users
IQ.
Brain Test was discovered by security firm
Check Point
Check Point is an American-Israeli multinational provider of software and combined hardware and software products for IT security, including network security, endpoint security, cloud security, mobile security, data security and security managem ...
and was available in the
Google Play
Google Play, also known as the Google Play Store and formerly the Android Market, is a digital distribution service operated and developed by Google. It serves as the official app store for certified devices running on the Android (operating sys ...
app store until 15 September 2015.
[ Check Point described Brain Test as "A new level of sophistication in malware".][
Brain Test was uploaded on two occasions (com.zmhitlte.brain and com.mile.brain), starting in August 2015, both times ]Google
Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
's "Bouncer
A bouncer (also known as a doorman or door supervisor) is a type of security guard, employed at venues such as bars, nightclubs, cabaret clubs, stripclubs, casinos, hotels, billiard halls, restaurants, sporting events, schools, concerts, or ...
" failed to detect the malware. After the first removal on 24 August 2015 the software was reintroduced using an obfuscation
Obfuscation is the obscuring of the intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language. The obfuscation might be either unintentional or intentional (although intent u ...
technique. Tim Erin of Tripwire
A tripwire is a passive triggering mechanism. Typically, a wire or cord is attached to a device for detecting or reacting to physical movement.
Military applications
Such tripwires may be attached to one or more mines – especially fragm ...
said the "Bypassing the vetting processes of Apple and Google is the keystone in a mobile malware campaign."
The malware turned out to include a rootkit
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...
, the revelation being described as "more cunning than first thought".
The malware is thought to have been written by Chinese actor, according to Shaulov of Check Point, based on the use of a packing/obfuscation tool from Baidu
Baidu, Inc. ( ; , meaning "hundred times") is a Chinese multinational technology company specializing in Internet-related services and products and artificial intelligence (AI), headquartered in Beijing's Haidian District. It is one of the la ...
. Eleven Paths, a Telefonica-owned company, found links to may other pieces of malware, based on the id used to access Umeng, Internet domains accessed by the apps and shared jpg and png images.
It appears the app was first detected on a Nexus 5
Nexus 5 (code-named Hammerhead) is an Android smartphone sold by Google and manufactured by LG Electronics. It is the fifth generation of the Nexus series, succeeding the Nexus 4. It was unveiled on October 31, 2013 and served as the launc ...
using Check Point's Mobile Threat Prevention System. The fact that the system was unable to remove the malware alerted the software company's researchers that it was an unusual threat.
According to Check Point, it may be necessary to re-flash the ROM
Rom, or ROM may refer to:
Biomechanics and medicine
* Risk of mortality, a medical classification to estimate the likelihood of death for a patient
* Rupture of membranes, a term used during pregnancy to describe a rupture of the amniotic sac
* ...
on a device if Brain Test has successfully installed a reinstaller in the system directory.
Features
The malware was uploaded in two forms. The packing feature was only present in the second.
* Evades detection by Google Bouncer by avoiding malicious behavior on Google servers with IP address
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
es 209.85.128.0–209.85.255.255, 216.58.192.0–216.58.223.255, 173.194.0.0–173.194.255.255, or 74.125.0.0–74.125.255.255, or domain name
A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As ...
s "google", "android" or "1e100".
* Root exploits. Four exploits to gain root access
In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of t ...
to the system were included, to account for variations in the kernel and drivers of different manufacturers and Android versions, which provide alternative paths to root.
* External payloads - via command and control system. The system used up to five external servers to provide variable payload, believed to be primarily advertising related.
* Packing and time delay. The main downloaded malware portion sits in a sound file, the bootstrap code unpacks this after a time delay.
* Dual install and re-install. Two copies of the malware are installed. If one is removed the other re-installs it.
See also
* Shedun
Shedun is a family of malware software (also known as Kemoge, Shiftybug and Shuanet) targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 popular Android applications. Lo ...
* Xcode Ghost
References
External links
Detailed coverage at Forbes
Video
from Graham Cluley
Graham Cluley (born 8 April 1969) is a British security blogger and the author of grahamcluley.com, a daily blog on the latest computer security news, opinion, and advice.
Cluley started his career in the computer security industry as a program ...
on Brain Test
Washington Post
.
{{Use dmy dates, date=November 2015
Android (operating system) malware
Mobile malware