Brain Test

Brain Test was a piece of malware masquerading as an Android app that tested the users IQ. Brain Test was discovered by security firm Check Point and was available in the Google Play app store until 15 September 2015. Check Point described Brain Test as "A new level of sophistication in malware".

Brain Test was uploaded on two occasions (com.zmhitlte.brain and com.mile.brain), starting in August 2015, both times Google's "Bouncer" failed to detect the malware. After the first removal on 24 August 2015 the software was reintroduced using an obfuscation technique. Tim Erin of Tripwire said the "Bypassing the vetting processes of Apple and Google is the keystone in a mobile malware campaign."

The malware turned out to include a rootkit, the revelation being described as "more cunning than first thought".

The malware is thought to have been written by Chinese actor, according to Shaulov of Check Point, based on the use of a packing/obfuscation tool from Baidu. Eleven Paths, a Telefonica-owned company, found links to may other pieces of malware, based on the id used to access Umeng, Internet domains accessed by the apps and shared jpg and png images.

It appears the app was first detected on a Nexus 5 using Check Point's Mobile Threat Prevention System. The fact that the system was unable to remove the malware alerted the software company's researchers that it was an unusual threat.

According to Check Point, it may be necessary to re-flash the ROM on a device if Brain Test has successfully installed a reinstaller in the system directory.

Features
The malware was uploaded in two forms. The packing feature was only present in the second.


 * Evades detection by Google Bouncer by avoiding malicious behavior on Google servers with IP addresses 209.85.128.0–209.85.255.255, 216.58.192.0–216.58.223.255, 173.194.0.0–173.194.255.255, or 74.125.0.0–74.125.255.255, or domain names "google", "android" or "1e100".
 * Root exploits. Four exploits to gain root access to the system were included, to account for variations in the kernel and drivers of different manufacturers and Android versions, which provide alternative paths to root.
 * External payloads - via command and control system. The system used up to five external servers to provide variable payload, believed to be primarily advertising related.
 * Packing and time delay. The main downloaded malware portion sits in a sound file, the bootstrap code unpacks this after a time delay.
 * Dual install and re-install. Two copies of the malware are installed.  If one is removed the other re-installs it.