January 6, 2016

Brain Test re-emerges: 13 apps found in Google Play


The malware family Brain Test, unfortunately, has made a comeback. Some variants attempt to gain root privilege, and persist factory resets and other efforts to remove it, especially on rooted devices.

Lookout consumer and enterprise users are protected.

In October 2015, we discovered several applications live in the Google Play Store that looked suspiciously like they were written by the developers behind the Brain Test malware family. Curiously, these apps had hundreds of thousands of downloads and at least a four star average review score — indicating a satisfying app experience, not obtrusive adware. Not long before, in September, Google had removed two Brain Test samples after a report by Check Point.

It took more research, aided by the Lookout Security Cloud, to connect the dots, but on December 29 we confirmed our suspicions that additional apps containing Brain Test malware were in Google Play. We found 13 Brain Test samples in total, written by the same developers. We contacted Google, who promptly removed these 13 apps from the Google Play Store.

How did these apps appear in the Play Store? It seems likely that over 2-3 months, the malware authors used different names, games, and techniques to see what apps they could publish in Play while flying under the radar. Then, just before Christmas, a game called Cake Tower received an update. The update turned on functionality similar to the initial versions of Brain Test and included a new command and control (C2) server, which was the smoking gun we needed to tie together the apps.

The explanation for the apps’ high ratings and hundreds-of-thousands of downloads is the malware itself. First off, some of the apps are fully-functioning games. Some are highly rated because they are fun to play. Mischievously, though, the apps are capable of using compromised devices to download and positively review other malicious apps in the Play store by the same authors. This helps increase the download figures in the Play Store. Specifically, it attempts to detect if a device is rooted, and if so, copies several files to the /system partition in an effort to ensure persistence, even after a complete factory reset. This behavior is very similar to several other malware families we’ve seen recently, specifically Shedun, ShiftyBug, and Shuanet.

Unfortunately, Brain Test is back, but Google worked quickly to remove the malicious apps we discovered, and we are continuing to monitor for new variants.  


Unfortunately, a simple factory reset (in other words, using the ‘Factory Reset’ option from the Settings application on an Android device) is not enough to remove the malware, as factory resets do not clear the /system partition. The best option for most users would be to backup anything on their device they would like to save, and then re-flash a ROM supplied by the device’s manufacturer. Users can check with their device manufacturer for the proper steps on flashing a factory ROM.

Technical Analysis

The technical analysis will focus on the most recent update to ‘com.beautiful.caketower’ (SHA1: 18b387c31797a23f558c67194cd2483dcf8cd033) that became made available on the Google Play Store on December 23, 2015. The behavior this sample exhibits closely follows the behavior observed in the initial batch of Brain Test samples.

Initial Launch

After the application is installed and initially executed, it does the following:

1) Starts a watchdog executable that reports to the C2 when the application has been uninstalled (Figure 1)

 Figure 1

Screen Shot 2016-01-05 at 10.52.33 PM

2) Decrypts the asset located at ‘assets/res/drawable/pw.png’ and copies it to ‘/data/data/com.beautiful.caketower/app_cache’ with a randomly generated filename (e.g. ‘11ya’). This decrypted asset is a malicious APK that is used for persistence (package name: “com.qualconm.power”, SHA1: f52bc39bda66d347cc108f15e7efee52f7e7a112). (Figure 2)

Figure 2

Screen Shot 2016-01-05 at 10.57.57 PM

3) Writes a small shell script to ‘/data/data/com.beautiful.caketower/app_cache’. If the device is rooted, it executes the shell script, which will copy the previously dropped persistence APK to the ‘/system/priv-app’ directory on the device, ensuring persistence even after a factory reset (Figure 3)

Figure 3

Screen Shot 2016-01-05 at 10.59.58 PM

Subsequent Behavior

After the initial persistence routine completes, several background services continue to check-in with the command-and-control servers. Like the original Brain Test variants, the current version has the ability to download additional configuration parameters from the command-and-control server, as well as execute arbitrary commands as root or dynamically load and execute additional Java code.

It appears the primary goal of the malware is to download and install additional APKs as directed by the command-and-control server. The developers also used infected devices to download other malicious applications they had submitted to the Play Store, which would inflate the number of downloads each application received.

Additionally, the malware provided capabilities that allowed the developers to post positive reviews on their own malicious applications using compromised devices, which may explain why every sample we observed had a rating higher than 4.0. Their last malicious application to receive an update before removal, ‘com.beautiful.caketower’, had between 10,000 – 50,000 installs and a 4.5 average rating out of 23,175 reviews, according to the application’s Google Play Store page (Figure 4), while another associated sample, ‘com.sweet.honeycomb’ (SHA1: edb88aea5f9ad489db5869ad49252a865d5cd9f0) had between 500,000 – 1,000,000 installs with an average 4.5 rating out of 79,878 reviews (Figure 5).

While the malware’s primary motive is likely selling guaranteed application-installs, its flexible design could allow the developers to utilize infected devices for more nefarious purposes if they desired.

Screen Shot 2016-01-05 at 11.02.17 PMFigures 4 & 5


Brain Test’s end goal has always been money. There has been an emergence of entities, primarily originating from China, that have been selling guaranteed application-installs to developers. In order to facilitate the installs, they rely on compromising a large number of devices and then pushing the installs to those devices. Similar tactics have been around for many years in the PC world, and we’ve seen multiple Android malware families take a similar approach.

What differentiates this particular situation, though, is the delivery mechanism: where PC malware is typically served through misleading advertisements or drive-by-downloads, this malware made it onto a mainstream app store, and in some cases, obtained over 500,000 downloads and an average 4.5 rating before removal. While it’s definitely true that users are considerably safer when downloading only from a mainstream source like the Google Play Store, we recommend users remain cautious and use additional security software to ensure the safety of their device.


Below is a list of applications that were removed from the Google Play Store:

Screen Shot 2016-01-06 at 3.27.56 PM

  1. Ben Actis says:

    OMG i work with this guy, I will sell signed copies of Chris’s autograph for 5 dollars.

  2. Mike Railey says:

    Thank you for your hard work to keep us safe. I have been a look out user for years now. And tell everyone to get it. I have made all my family members go premium like me. Thanks I wish there was a way to stay more up to date on what you are doing have found etc.

    • Meghan Kelly says:

      Hi Mike, so glad we’re serving you well! Definitely keep an eye on our blog and you can follow us on Twitter, Facebook, and Instagram! We appreciate awesome customers like you, so thank you.

  3. Roman says:

    Hello great work, can you clarify a few things for me.

    1. Do these apps have the ability to root a device on their own or do they take advantage of previously rooted devices only?

    2. If a rooted user has SuperUser installed will this app cause the root access prompt to pop up?

    3. Has there been a confirmed case of self rooting malware in the Play Store as far as you know?


  4. Roman says:

    Ohh one more thing! I also remember reading that Google has the ability to uninstall any App installed from the Playstore from users devices, did they do that in this case?

    • Meghan Kelly says:

      Hi Roman, checked in with our security research team and here are there thoughts. Hope this helps!

      1. Do these apps have the ability to root a device on their own or do they take advantage of previously rooted devices only?

      The original Brain Test variants did have the ability to automatically root some devices, however, we did not observe that behavior in any of the 13 samples we recently discovered. The new variants attempt to take advantage of any existing root privilege.

      2. If a rooted user has SuperUser installed will this app cause the root access prompt to pop up?

      Sometimes; it depends how the device was rooted. Users won’t be prompted if one of the related families (e.g. the original Brain Test, or even Shedun, Shuanet, or ShiftyBug, which we reported about in November) was responsible for rooting the device. Users will see the SuperUser pop-up if another method was used to root the device, such as a user rooting the device.

      3. Has there been a confirmed case of self rooting malware in the Play Store as far as you know?

      The original Brain Test samples exhibited this behavior, but downloaded their exploit packs for rooting from a remote server after installation.

      4. I also remember reading that Google has the ability to uninstall any App installed from the Playstore from users devices, did they do that in this case?

      We have not observed this on any of our test devices.

  5. JustAsking says:

    Did Lookout detect these malwares?

  6. Chen John L says:

    Just wondering, does this malware also affect users who are not rooted? To the best of my understanding, apps without root privilege would not be able to install another app (if “Allow installation of apps from Unknown sources” option is disabled in settings, which is the default on most devices), or post reviews on behalf of the owner.

    • Meghan Kelly says:

      Hi there, thanks for your question. Unfortunately some variants of Brain Test actually have the ability to root the victim’s device. From there it can install further applications and persist on the device.

  7. Vishal says:

    Shouldn`t “Lookout” installed on a phone, just deny permission to these apps from copying the data to system partition??

    • Meghan Kelly says:

      If a person comes into contact with Brain Test, we will detect the malware and alert the individual so that they can remove the offending app before it does damage. Hope this helps!

  8. Ter says:

    Root is not available in most phones

  9. Ronny says:

    I received an e-mail from Lookout this morning, with a link to this article.

    I have never subscribed to e-mails from you, and there is no link in the e-mail to unsubscribe.

    The e-mail came from info@lookout.com – which is an e-mail address you can’t e-mail to (it bounces).

    You have to provide an unsubscribe method to your marketing/spam e-mails.

    Please remove me from any and all of your mailing lists.

    Sorry to post this here, but I have seen no other way to contact you.

    • Meghan Kelly says:

      Hi Ronny, very sorry about that. Our emails should always come with an unsubscribe button. After talking with our email communications team, I’ve confirmed that an error in our template did not populate the Brain Test communication with our regular boilerplate unsubscribe button. We are working to remediate that now and I’ve asked that they remove your name as well. Thanks for your patience and apologies for the inconvenience.

  10. In addition to Malware apps, adware too is getting trojanised and rooting themselves into our devices, and they seem to get more and more sophisticated with time. The fact that these apps are fully functional, makes them even more difficult to identify and what is scary is that some of these are as yet impossible to remove leaving us with no choice but to replace our devices altogether. Google Android has to come up with a better protection plan.

Leave a comment