Devs get malicious root app militia on Play Store, sell pumped up ratings
Modders at risk
Google has punted from its Play Store 13 apps, including one installed a million times and capable of gaining persistent root, downloading additional apps, and leaving fake positive reviews.
The Brain Test apps slipped past the Chocolate Factory's Google Verify Apps (formerly Bouncer) vetting system and were downloaded scores of times by users and without interaction by the malware itself.
It can gain persistence only on devices that users have rooted, a process many undertake to liberate phones from abandoned stock operating ROMs to updated and maintained community variants.
The apps contained functional and enticing games that lured users to install the initial infected app.
If root access is achieved, apps would then download other infected Brain Test apps and leave positive reviews in a bid to boost credibility.
Lookout researcher Chris Dehghanpoor says the authors are attempting to sell guaranteed app rating boosts by causing infected phones to download and review other apps.
"It seems likely that over two to three months, the malware authors used different names, games, and techniques to see what apps they could publish in Play while flying under the radar," Dehghanpoor says.
"Then, just before Christmas, a game called Cake Tower received an update [that] included a new command and control server, which was the smoking gun we needed to tie together the apps.
"Some [apps] are highly rated because they are fun to play [and] are capable of using compromised devices to download and positively review other malicious apps in the Play store by the same authors."
Users infected with the rooted apps can easily remove them by reflashing ROMs through recovery consoles, a process which many who root their devices would already be familiar with.
It is the latest successful compromise of Play Store app offerings for the group. In September authors beat Bouncer to get their Brain Test app on the app shop and installed up to half a million times. ®
Sponsored: Global DDoS threat landscape report