back to article Cyber crims up the ante with Google Play brainteaser malware

Android malware bundled in an intelligence-testing game has been published to the official Google Play Store, not once but twice, claiming hundreds of thousands of victims in the process. Dodgy versions of a gaming app called BrainTest were able to bypass Google’s security scanning of mobile apps using a range of techniques. …

  1. Electron Shepherd
    Unhappy

    So the second attempt sat there for almost a week

    Within days, the Check Point research team detected another instance with a different package name, but which used the same code. Check Point notified Google on 10 September and the app containing the malware was removed from Play on 15 September.

    I realise that someone has to make sure this isn't just the developer of a competing app trying to cheat the system, but five days seems a very long time for a company with Google's resources.

    1. ratfox

      Re: So the second attempt sat there for almost a week

      Large companies get slower, not faster.

  2. Mark 85

    The one they know...

    How many are there that Google doesn't know about? It seems the miscreants know more about the security of the Play Store than Google does from way they're managing to work around it. And then it takes 5 days for them to pull it after being notified? Sort of makes a statement about how seriously Google takes "user security".

    1. ingie

      Re: The one they know...

      reading thru the full report by Checkpoint [linked in the article, but here for ease of use]

      http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/

      it seems that the bypass of Play Store was actually quite simple, and an obvious thing... well, not obvious, but something that someone with any imagination in malware would probably at least try.

      it seems all it had to do was "not be a malware unless you're not on a google server" - and then download the actual crack once the app is in the wild.

      i like [in a coder, hacking appreciative way] how they used a double-watchdog to check whether its friend had been uninstalled [ the listed brother.apk and mcpef.apk ]

      1. DropBear
        Joke

        Re: The one they know...

        "not be a malware unless you're not on a google server"

        This MO is proof positive. It was clearly coded by Volkswagen staff...

    2. Dadmin

      Re: The one they know...

      Compared to the walled garden, I prefer a little hack-spice in my app store. Keeps the G-men on their toes, and let's be quite honest; the Play Store has better admin tools and the like than the iWalled iGarden. Hand's down. I last seriously used the crApp Store back when the first gen iPod Touches came a-touchin'. You and I both know what happened next; seriously unimpressed, got a Sammy Pad, then three more for various local users. Google may have some nasty security problems as of late, and rightly so; there are many MANY manufactures of Android devices out there and things can get hectic fast, and the blackhats know it and make good use of it. As for Apple; they make two products that have their own OS, that's it. And the iCloud junk, but so does Geepers Creepers. So, I'd say Apple has a much easier time with rolling out updates and keeping a lid on the garden of walls. Google has a LOT to contend with, and I'm not surprised they have slipped a bit lately, but I have my faith in Big G, and I'm okay with them for the most part. Isn't that enough?

  3. EvilGardenGnome

    FTFY

    "This suggests that somewhere between 200,000 and one million users got stung."

    Should be between 100,000 and 1 million devices. Could be the same people on the same devices, or one person with multiple devices (maybe 1 person with 500k devices!).

    Don't get me wrong, this is an impressive penetration. Just being a touch anal retentive.

  4. Anonymous Coward
    Anonymous Coward

    Full points for irony though..

    An IQ test which contains malware - someone clearly has a sense of humour...

    1. Ugotta B. Kiddingme

      Re: Full points for irony though..

      While I do agree about the irony, raw IQ != tech knowledge/ability. In my years working for a chemical manufacturer, I've known PhD chemists who were positively brilliant in their fields but were mystified by simpler tasks such as remembering one's login credentials for more than 24 hours...

      1. h4rm0ny

        Re: Full points for irony though..

        There is a quote from G.K.Chesterton who was a very intelligent person with accomplishments in a very wide range of fields who telegraphed his wife with the question: "Am in Birmingham. Where ought I to be?"

        Intelligence and technological expertise certainly are not joined at the hip. Though those with the latter tend to presume that those without it also lack the former, unfortunately.

  5. Anonymous Coward
    Anonymous Coward

    Weasel words

    "Partly directed towards installing a rootkit on compromised devices."

    Did it, or did it not? Facts please

    "The reflection loaded methods check if the device is rooted. If not, the application downloads a pack of exploits from the server and runs them one-by-one up until root is achieved."

    Details please, I would love to oneclick root my device, but it's locked down tight. However these vague words suggest it's trivial. What android version??? Who wants to bet something ancient. It's misleading to assume everyone that downloaded this got caught by this.

    Checkpoint strikes again..

    1. Anonymous Coward
      Anonymous Coward

      Re: Weasel words

      Why ancient: See the other Reg article about Android malware being used:

      "The trio say the attack builds its network of customers by tricking them to install malware that gains root access on some 308 different handsets running virtually all versions of the Android operating system from Gingerbread (2.3.4) to the lastest stable Lollipop (5.1.1) build."

      http://www.theregister.co.uk/2015/09/23/chinese_ad_firm_pwns_android_users_creates_hijackable_global_botnet/

      I'm with you (as posted there), I'd love this malware code that can root, seemingly very easily.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like