{
	"id": "fe00aec9-75f1-482a-9e82-7d20866f75b5",
	"created_at": "2026-04-06T00:15:05.663643Z",
	"updated_at": "2026-04-10T03:30:57.242953Z",
	"deleted_at": null,
	"sha1_hash": "8369d196a691501e935d6a29cbd417f1207f50e4",
	"title": "Brain Test Re-Emerges: 13 Apps Found in Google Play",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 521840,
	"plain_text": "Brain Test Re-Emerges: 13 Apps Found in Google Play\r\nBy Lookout\r\nPublished: 2016-01-06 · Archived: 2026-04-05 18:06:22 UTC\r\nSummary\r\nThe malware family Brain Test, unfortunately, has made a comeback. Some variants attempt to gain root privilege,\r\nand persist factory resets and other efforts to remove it, especially on rooted devices.\r\nLookout consumer and enterprise users are protected.\r\nIn October 2015, we discovered several applications live in the Google Play Store that looked suspiciously like\r\nthey were written by the developers behind the Brain Test malware family. Curiously, these apps had hundreds of\r\nthousands of downloads and at least a four star average review score -- indicating a satisfying app experience, not\r\nobtrusive adware. Not long before, in September, Google had removed two Brain Test samples after a report by\r\nCheck Point.\r\nIt took more research, aided by the Lookout Security Cloud, to connect the dots, but on December 29 we\r\nconfirmed our suspicions that additional apps containing Brain Test malware were in Google Play. We found 13\r\nBrain Test samples in total, written by the same developers. We contacted Google, who promptly removed these\r\n13 apps from the Google Play Store.\r\nHow did these apps appear in the Play Store? It seems likely that over 2-3 months, the malware authors used\r\ndifferent names, games, and techniques to see what apps they could publish in Play while flying under the radar.\r\nThen, just before Christmas, a game called Cake Tower received an update. The update turned on functionality\r\nsimilar to the initial versions of Brain Test and included a new command and control (C2) server, which was the\r\nsmoking gun we needed to tie together the apps.\r\nThe explanation for the apps’ high ratings and hundreds-of-thousands of downloads is the malware itself. First off,\r\nsome of the apps are fully-functioning games. Some are highly rated because they are fun to play. Mischievously,\r\nthough, the apps are capable of using compromised devices to download and positively review other malicious\r\napps in the Play store by the same authors. This helps increase the download figures in the Play Store.\r\nSpecifically, it attempts to detect if a device is rooted, and if so, copies several files to the /system partition in an\r\neffort to ensure persistence, even after a complete factory reset. This behavior is very similar to several other\r\nmalware families we’ve seen recently, specifically Shedun, ShiftyBug, and Shuanet.\r\nUnfortunately, Brain Test is back, but Google worked quickly to remove the malicious apps we discovered, and\r\nwe are continuing to monitor for new variants.  \r\nRemoval\r\nhttps://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/\r\nPage 1 of 6\n\nUnfortunately, a simple factory reset (in other words, using the 'Factory Reset' option from the Settings application\r\non an Android device) is not enough to remove the malware, as factory resets do not clear the /system partition.\r\nThe best option for most users would be to backup anything on their device they would like to save, and then re-flash a ROM supplied by the device’s manufacturer. Users can check with their device manufacturer for the proper\r\nsteps on flashing a factory ROM.\r\nTechnical Analysis\r\nThe technical analysis will focus on the most recent update to ‘com.beautiful.caketower’ (SHA1:\r\n18b387c31797a23f558c67194cd2483dcf8cd033) that became made available on the Google Play Store on\r\nDecember 23, 2015. The behavior this sample exhibits closely follows the behavior observed in the initial batch of\r\nBrain Test samples. Initial Launch After the application is installed and initially executed, it does the following:\r\n1) Starts a watchdog executable that reports to the C2 when the application has been uninstalled\r\n2) Decrypts the asset located at ‘assets/res/drawable/pw.png’ and copies it to\r\n‘/data/data/com.beautiful.caketower/app_cache’ with a randomly generated filename (e.g. ‘11ya’). This decrypted\r\nasset is a malicious APK that is used for persistence (package name: “com.qualconm.power”, SHA1:\r\nf52bc39bda66d347cc108f15e7efee52f7e7a112).\r\n3) Writes a small shell script to ‘/data/data/com.beautiful.caketower/app_cache’. If the device is rooted, it executes\r\nthe shell script, which will copy the previously dropped persistence APK to the ‘/system/priv-app’ directory on the\r\ndevice, ensuring persistence even after a factory reset.\r\nSubsequent Behavior\r\nAfter the initial persistence routine completes, several background services continue to check-in with the\r\ncommand-and-control servers. Like the original Brain Test variants, the current version has the ability to\r\ndownload additional configuration parameters from the command-and-control server, as well as execute arbitrary\r\ncommands as root or dynamically load and execute additional Java code.\r\nIt appears the primary goal of the malware is to download and install additional APKs as directed by the\r\ncommand-and-control server. The developers also used infected devices to download other malicious applications\r\nthey had submitted to the Play Store, which would inflate the number of downloads each application received.\r\nAdditionally, the malware provided capabilities that allowed the developers to post positive reviews on their own\r\nmalicious applications using compromised devices, which may explain why every sample we observed had a\r\nrating higher than 4.0. Their last malicious application to receive an update before removal,\r\n‘com.beautiful.caketower’, had between 10,000 - 50,000 installs and a 4.5 average rating out of 23,175 reviews,\r\naccording to the application’s Google Play Store page (Figure 4), while another associated sample,\r\n‘com.sweet.honeycomb’ (SHA1: edb88aea5f9ad489db5869ad49252a865d5cd9f0) had between 500,000 -\r\n1,000,000 installs with an average 4.5 rating out of 79,878 reviews (Figure 5).\r\nhttps://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/\r\nPage 2 of 6\n\nWhile the malware’s primary motive is likely selling guaranteed application-installs, its flexible design could\r\nallow the developers to utilize infected devices for more nefarious purposes if they desired.\r\nConclusion\r\nBrain Test’s end goal has always been money. There has been an emergence of entities, primarily originating from\r\nChina, that have been selling guaranteed application-installs to developers. In order to facilitate the installs,\r\nthey rely on compromising a large number of devices and then pushing the installs to those devices. Similar tactics\r\nhave been around for many years in the PC world, and we’ve seen multiple Android malware families take a\r\nsimilar approach.\r\nWhat differentiates this particular situation, though, is the delivery mechanism: where PC malware is typically\r\nserved through misleading advertisements or drive-by-downloads, this malware made it onto a mainstream app\r\nstore, and in some cases, obtained over 500,000 downloads and an average 4.5 rating before removal. While it’s\r\ndefinitely true that users are considerably safer when downloading only from a mainstream source like the Google\r\nPlay Store, we recommend users remain cautious and use additional security software to ensure the safety of their\r\ndevice.\r\nhttps://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/\r\nPage 3 of 6\n\nAppendix\r\nBelow is a list of applications that were removed from the Google Play Store:\r\nSubsequent Behavior\r\nAfter the initial persistence routine completes, several background services continue to check-in with the\r\ncommand-and-control servers. Like the original Brain Test variants, the current version has the ability to\r\ndownload additional configuration parameters from the command-and-control server, as well as execute arbitrary\r\ncommands as root or dynamically load and execute additional Java code.\r\nIt appears the primary goal of the malware is to download and install additional APKs as directed by the\r\ncommand-and-control server. The developers also used infected devices to download other malicious applications\r\nthey had submitted to the Play Store, which would inflate the number of downloads each application received.\r\nAdditionally, the malware provided capabilities that allowed the developers to post positive reviews on their own\r\nmalicious applications using compromised devices, which may explain why every sample we observed had a\r\nrating higher than 4.0. Their last malicious application to receive an update before removal,\r\n‘com.beautiful.caketower’, had between 10,000 - 50,000 installs and a 4.5 average rating out of 23,175 reviews,\r\naccording to the application’s Google Play Store page (Figure 4), while another associated sample,\r\n‘com.sweet.honeycomb’ (SHA1: edb88aea5f9ad489db5869ad49252a865d5cd9f0) had between 500,000 -\r\n1,000,000 installs with an average 4.5 rating out of 79,878 reviews (Figure 5).\r\nhttps://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/\r\nPage 4 of 6\n\nWhile the malware’s primary motive is likely selling guaranteed application-installs, its flexible design could\r\nallow the developers to utilize infected devices for more nefarious purposes if they desired.\r\nConclusion\r\nBrain Test’s end goal has always been money. There has been an emergence of entities, primarily originating from\r\nChina, that have been selling guaranteed application-installs to developers. In order to facilitate the installs,\r\nthey rely on compromising a large number of devices and then pushing the installs to those devices. Similar tactics\r\nhave been around for many years in the PC world, and we’ve seen multiple Android malware families take a\r\nsimilar approach.\r\nWhat differentiates this particular situation, though, is the delivery mechanism: where PC malware is typically\r\nserved through misleading advertisements or drive-by-downloads, this malware made it onto a mainstream app\r\nstore, and in some cases, obtained over 500,000 downloads and an average 4.5 rating before removal. While it’s\r\ndefinitely true that users are considerably safer when downloading only from a mainstream source like the Google\r\nPlay Store, we recommend users remain cautious and use additional security software to ensure the safety of their\r\ndevice.\r\nhttps://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/\r\nPage 5 of 6\n\nAppendix\r\nBelow is a list of applications that were removed from the Google Play Store:\r\nSource: https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/\r\nhttps://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
	],
	"report_names": [
		"brain-test-re-emerges"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434505,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8369d196a691501e935d6a29cbd417f1207f50e4.pdf",
		"text": "https://archive.orkl.eu/8369d196a691501e935d6a29cbd417f1207f50e4.txt",
		"img": "https://archive.orkl.eu/8369d196a691501e935d6a29cbd417f1207f50e4.jpg"
	}
}