How To: See If You’re Infected by Brain Test Malware and Remove The Threat

Image source:

A major security alert to Android users comes from Lookout, a company that focuses on cyber security of mobile devices. Brain Test is a family of malware that was initially discovered last year around September, and Google Play removed three apps spreading it. In December, Lookout has discovered 13 more apps spreading Brain Test malware, some of them quite popular games with 500,000 downloads and 4.5 ratings. All of them with average and higher than average ratings and tens of thousands of downloads.

The apps containing malware were specifically harmful for rooted devices because they granted themselves root permissions, which enabled them to:

  • remain installed even after factory reset;
  • post bogus but positive rating to their peer apps on the Google Play on behalf of the user;
  • download and install peer malware-infected apps on the device.

The apps were by the same developers, yet the group used different developer accounts to submit their apps and games to the Play Store. Lookout took the issue to Google, and it pulled the 13 apps from the store.

Cake Tower was one of the most popular games involved in the scam scheme with 10,000 – 50,000 installs and a 4.5 rating, but the spectrum of the apps and games infected is quite impressive. It is worth noting they did not come with the warning signs by default – the suspicious functionality was enabled later on, and came with the updates.

You may ask how these malware apps got the high rating, positive reviews and lots of downloads? The answer is in the malware function of these apps! They download their own malware peer apps, and rate them on behalf of the infected devices. So, the ratings look quite normal to an unaware user looking for a new time killer.

The malware apps also detected whether the device is rooted, and if yes, then copied some files to /system partition to remain installed after factory reset.

Brain Test malware apps Lookout

How to remove Brain Test malware

As you might have understood by now, uninstalling the infected app does not solve the problem for rooted devices. Neither does the factory reset. The owners of the rooted devices that had one of the infected apps installed would have to undergo the process of flashing the ROM supplied by the device’s manufacturer. Ouch. By the way, here is the guide on how to un-root your device. If you wish to have your device rooted, you might have to go through the process over again after you have re-flashed the manufacturer supplied ROM. Of course, do not forget to do the backup of your important files and data before you proceed.

The fact that this needs to be done to purge the malware is evident. Even though all the apps did was secretly downloading and installing peer apps and leaving bogus ratings and reviews on the Play Store, they can be used for more nefarious purposes than boosting their own ratings.

This model of “promoting” a mobile app or a game has gained popularity among some “marketing” companies offering app developers “guaranteed downloads.” While what they did was basically compromising the security of thousands of devices and inflated the ratings and downloads of the infected apps.

infected apps

Unfortunately, sneaking past Google’s malware fence remains a routine workout for the shady dealers while the Android devices remain some of the most popular on the planet. Many of them are high-end smartphones and tablets, and we have yet to see a commissioned research of an actual number of the rooted devices. Even though it makes it very convenient for Google to blame it on the users with rooted devices for letting the malware gain the root privileges, but the flaws in Google’s veto algorithms have been the reason for way too many disasters that had nothing to do with root.

“The Brain Test malware was able to detect when it was under review by Google Play vs. when it was running on a user’s device. This detection mechanism likely allowed it easier passage through the app review process since it didn’t exhibit any malicious behavior when under review,” said Bluebox Security’s Andrew Blaich.