Everything You Need To Know About the Malicious Apps in Google Play

Earlier this month, the Google Play store was reduced to chaos with the discovery that 13 apps - several of which were extremely popular- were infected with malware developed by the infamous China-based BrainTest, a malicious “brand” that had been lurking in the shadows, but has now made a comeback.

We’ve rounded up everything you need to know about this attack on Android users:

First and foremost, make sure that none of these apps are installed on your device: Cake Blast, Jump Planet, Honey Comb, Crazy Block, Crazy Jelly, Tiny Puzzle, Ninja Hook, Piggy Jump, Just Fire, Eat Bubble, Hit Planet, Cake Tower, and Drag Box

These apps, when viewed in the store, appeared to have many downloads and four-star reviews, so many users were lured into installing them. However, both of those factors were actually facilitated by part of the malware.

The primary goal of this malware is to download APKs that give the developers increased control over the device, as well as download other malicious applications from Google Play and post positive reviews – this is the function that resulted in the inflated download numbers, and acts to lure more innocent users into downloading their products.

The mobile security company responsible for notifying Google of the malware, Lookout, said that the intent of this type of malware is to sell guaranteed app installs to their clients, though they warn that “its flexible design could allow the developers to utilize infected devices for more nefarious purposes if they desired.

This type of malware is shockingly common, and “guaranteed installation” as a service is a huge underground market, especially in China, where BrainTest is based. This explains why many of the applications listed were fully functioning, “actually fun” games, according to Lookout’s Chris Dehghanpoor.

There are other companies that are guilty of the same actions, and security firm FireEye Labs stated in a blog that it has observed over 300 “malicious, illegitimate versions of Android apps being distributed, including: Amazon, Memory Booster, Clean Master, PopBird, YTD Video Downloader, and Flashlight.” Infections of this nature currently have the ability to compromise most Android devices, as they are compatible with 2.3.4to 5.1.1.

The malicious adware workflow is as follows:

1. Once installed, the malware uploads the user’s information, as well as information about the device to remote servers. It iterates to the following domains, posting the information collected once a connection is formed: aedxdrcb.com; hdyfhpoi.com; syllyq1n.com and wksnkys7.com.

2. Encryption of the data is executed using AES/CBC/NoPadding followed by Base64 and includes the device model details, MACaddress, IMEI/IMSI, system and software info. This is non-critical information.

3. The APK com.dashirootmaster.demo is downloaded. This file uses dynamic loads logic and executes the process of rooting the victim’s phone.

4. Using a shell script calls “rsh,” the app extracts native executables with rx binary, which correspond to a root exploit, such as Framaroot, put_user exploit and Mempodroid.

5. Once rooted, the phone is susceptible to rsh script. This script remounts / system as writable, implants SU daemon as the root backdoor, and appends a line into install-recovery.sh, which executes on boot

6. (This is the most dangerous step) The script sets install-recover.sh as immutable, which means that even if the phone is given a factory reset, the malware is still in place.

7.  The final step is installing APKs into /system partition, which gives the developers consistent control over the device.

Unfortunately, due to the nature of this malware, a factory reset is just not enough to clear the device. The best course of action is to -after saving your critical files - reflash the ROM.