The malicious software family — Brain Test — has managed to make a comeback affecting as many as 13 Android apps, with hundreds of thousands of downloads, from the Play Store. Google has removed all the infected apps from its Store.

"On December 29 we confirmed our suspicions that additional apps containing Brain Test malware were in Google Play. We found 13 Brain Test samples in total, written by the same developers. We contacted Google, who promptly removed these 13 apps from the Google Play Store," states cybersecurity firm, Lookout, which reports the return of Brain Test malware in the Play Store.

The infected apps removed from the Play Store are Cake Blast, Jump Planet, Honey Comb, Crazy Block, Crazy Jelly, Tiny Puzzle, Ninja Hook, Piggy Jump, Just Fire, Eat Bubble, Hit Planet, Cake Tower and Drag Box.

The malicious app basically attempts to detect if a device is rooted, and then it copies several files to the/system partition. Performing factory reset is not enough to remove the app from the compromised device, as the process does not clear the/system partition.

The solution

But if your device has been compromised with this malware, the best solution is to first create a backup of all important data of the Android device and then re-flash stock update released by the manufacturer, advises Lookout.

The current version of the Brain Test malware bears features similar to the original version of the malware detected in September 2015. Brain Test was first discovered by cybersecurity firm Check Point in September, which claims the malware was published to Google Play Store twice, with each instance having between 100,000 and 500,000 downloads. The malicious apps that had affected 200,000 to one million users, was later on removed from the Play Store.

The primary goal of this malware is to download and install additional APKs, directed by the C2 server. The developer of the malware uses infected devices to download other malicious software, which in turn boosts the download numbers for each app.

This malware family allows its developers to post positive reviews on their apps. A sample of the malicious software, com.beautiful.caketower had about 10,000 to 50,000 installs with an average rating of 4.5 out of total 23,175 reviews, suggests the Play Store product page of the app. Similarly another sample com.sweet.honeycomb had between 500,000 to 1,000,000 installs with 4.5 rating of total 79,878 reviews.

Lookout states that it took the authors of the malware more than two or three months to explore means to publish the affected apps in the Play Store. A few days before Christmas 2015, the Cake Tower app received an update, which featured a similar functionality found in the initial version of Brain Test, as well as included a new command and control (C2) server.