{
	"id": "5ac4b5b2-e467-49aa-b7c8-2b91e434b4e8",
	"created_at": "2026-04-10T03:21:50.065656Z",
	"updated_at": "2026-04-10T03:22:19.211541Z",
	"deleted_at": null,
	"sha1_hash": "8b8fa6719d14ace7bbb0360b998c7029c4eb96be",
	"title": "BrainTest - A New Level of Sophistication in Mobile Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63569,
	"plain_text": "BrainTest - A New Level of Sophistication in Mobile Malware\r\nBy bferrite\r\nPublished: 2015-09-21 · Archived: 2026-04-10 02:11:12 UTC\r\nCheck Point Mobile Threat Prevention has detected two instances of a mobile malware variant infecting multiple\r\ndevices within the Check Point customer base.\r\nThe malware, packaged within an Android game app called BrainTest, had been published to Google Play twice.\r\nEach instance had between 100,000 and 500,000 downloads according to Google Play statistics, reaching an\r\naggregated infection rate of between 200,000 and 1 million users. Check Point reached out to Google on\r\nSeptember 10, 2015, and the app containing the malware was removed from Google Play on September 15, 2015.\r\nOverview\r\nThe malware was first detected on a Nexus 5 smartphone, and although the user attempted to remove the infected\r\napp, the malware reappeared on the same device shortly thereafter. Our analysis of the malware shows it uses\r\nmultiple, advanced techniques to avoid Google Play malware detection and to maintain persistency on target\r\ndevices.\r\nOnce this malware was detected on a device, Mobile Threat Prevention adjusted security policies on the Mobile\r\nDevice Management solution (MobileIron) managing the affected devices automatically, thereby blocking\r\nenterprise access from the infected devices.\r\nWhile the malware is capable of facilitating various cyber-criminal goals, our team confirmed it’s currently\r\ninstalling additional apps on infected devices. Disturbingly, the malware establishes a rootkit on the device,\r\nallowing it to download and execute any code a cybercriminal would want to run on a device. For example, it\r\ncould be used to display unwanted and annoying advertisements on a device, or potentially, to download and\r\ndeploy a payload that steals credentials from an infected device.\r\nHighlights\r\nSamples of the malicious code found in BrainTest have been found on Google Play, and its creator has used\r\nmultiple methods to evade detection by Google including\r\nBypassing Google Bouncer by detecting if the malware is being run from an IP or domain mapped\r\nto Google Bouncer and, if so, it will not perform its intended malicious activities.\r\nCombining timebombs, dynamic code loading, and use of reflection to complicate reverse\r\nengineering of the malware.\r\nUsing off-the-shelf obfuscation (packer) from Baidu to re-introduce the malware to Google Play\r\nafter the first instance was removed on Aug 24th.\r\nBrainTest uses four privilege escalation exploits to gain root access on a device and to install a persistent\r\nmalware as a system application.\r\nhttp://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/\r\nPage 1 of 4\n\nBrainTest leverages an anti-uninstall watchdog that uses two system applications to monitor the removal of\r\none of the components and reinstall the component.\r\nAfter the the first instance of BrainTest was detected, Google removed the app from Google Play. Within days, the\r\nCheck Point research team detected another instance with a different package name but which uses the same code.\r\nThe malware’s creators had used obfuscation to upload the new piece of malware to Google Play.\r\nTechnical Analysis\r\nThe malware consists of 2 applications:\r\n1. The Dropper: Brain Test (Unpacked – com.mile.brain, Packed – com.zmhitlte.brain) This is installed from\r\nGoogle Play and downloads an exploit pack from the server to obtain root access on a device. If root access\r\nis obtained, the application downloads a malicious .apk file (The Backdoor) from the server and installs it\r\nas system application.\r\n2. The Backdoor: System malware (mcpef.apk and brother.apk) This tries a few persistence methods by\r\nusing few anti-uninstall techniques (described below) and downloads and executes code from server\r\nwithout user consent.\r\nDetailed Malware Structure\r\ncom.mile.brain (SHA256: 135d6acff3ca27e6e7997429e5f8051f88215d12351e4103f8344cd66611e0f3):\r\nThis is the main application found on Google Play. It contains encrypted java archive “start.ogg” in the\r\nassets directory and dynamically loads code with dalvik.system.DexClassLoader.\r\ndo.jar (SHA256:a711e620246d9954510d3f1c8d5c784bacc78069a5c57b9ec09c3e234bc33a8b) : The\r\ndecrypted file that was created by “start.ogg.” It sends a request to the server with the device’s\r\nconfiguration. The server’s response is a json, containing a link to a .jar file, class name and method name\r\nto be executed with reflection API. The application downloads the file and dynamically loads it using\r\ndalvik.system.DexClassLoader and invokes class and method specified in json.\r\njhfrte.jar: This is a java archive file downloaded from server. If a device isn’t rooted, it downloads from\r\nthe server an exploit pack and executes it to obtain root on device. Once root is obtained, it downloads an\r\nadditional APK file from the server (mcpef.apk) and installs it as system application (/system directory).\r\nr1-r4: This is a local privilege escalation (root) exploit, which includes: CVE-2013-6282, camerageroot\r\n(http://www.77169.org/exploits/2013/20130414031700), a rooting tool for mtk6592 and addtional exploit.\r\nnis: The su application used to execute shell commands with root privileges.\r\nmcpef.apk (SHA256: a8e7dfac00adf661d371ac52bddc03b543bd6b7aa41314b255e53d810931ceac): The\r\nmalicious system application downloaded from server (package name – com.android.music.helper). This\r\ninstalls additional application from assets directory (brother.apk) and listens for PACKAGE_REMOVED\r\nevents. If brother.apk application is removed, mcpef.apk reinstalls brother.apk from assets.\r\nbrother.apk (SHA256: 422fec2e201600bb2ea3140951563f8c6fbd4f8279a04a164aca5e8e753c40e8) : The\r\npackage name – com.android.system.certificate. System application installed by mcpef.apk. This has the\r\nsame functionality as mcpef.apk. In addition, it monitors to verify if com.android.music.helper package is\r\nremoved. If mcpef.apk is removed, brother.apk reinstalls it from a META-INF/brother file\r\nboy, post.sh: The shell scripts u sed for application persistency.\r\nhttp://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/\r\nPage 2 of 4\n\nApplication lifecycle\r\nGoogle Bouncer Bypass\r\nOn start, the application checks if it is executed on one of the Google servers:\r\nIP ranges 209.85.128.0-209.85.255.255, 216.58.192.0-216.58.223.255, 173.194.0.0-173.194.255.255,\r\n74.125.0.0-74.125.255.255\r\nor if it is executed on IP hosted domain that contains the following strings: “google”, ”android”, ”1e100”.\r\nIf any of these conditions is true, the application does not continue to execute the malicious flow. This method is\r\ndesign to bypass the automatic Google Play protection mechanism called Bouncer.\r\nTimebombs, Dynamic Code Loading and Reflection\r\nIf Google Bouncer was not detected, the application starts a time bomb which initiates the malicious flow only\r\nafter 20 seconds and will run every 2 hours. The time bomb triggers unpacker thread. Unpacker thread decrypt\r\njava archive from assets directory “start.ogg”, and dynamically loads it and calls the method “a.a.a.b” from this\r\narchive.\r\nThis method checks if eight hours have passed from the first run of application, and if so, request containing the\r\ndevice’s data to the server. The server sends back encoded json containing URL, class name and method name.\r\nThen the application downloads java archive from the URL specified in json, dynamically loads it with class\r\nloader API. Once archive is loaded, the application uses reflection api to call methods from the class names\r\nspecified in the json.\r\nRooting and Ad Network Presentation\r\nThe reflection loaded methods check if the device is rooted. If not, the application downloads a pack of exploits\r\nfrom the server and runs them one-by-one up until root is achieved.\r\nAs root, the application copies su binary to /system/bin directory and silently downloads apk file from the server.\r\nThen, the APK is installed as system application and registers listener on USER_PRESENT event. This event\r\ntriggers archive downloading thread. Once the event is triggered, it registers a timer. The timer triggers additional\r\nthread which makes a request to the server. It expects a json with url, class and method name. It downloads one\r\nmore archive and dynamically loads code from it.\r\nThe final APK is downloaded from a different URL that is currently down, we assume that the apk purpose is\r\noverlaying ads on the screen, we assume this based on the research we have done on the API we found which\r\nreturns URL of random APK file containing different advertising networks.\r\nPersistency Watch-Dog\r\nThe application contains protection against its own removal. As outlined in the diagram above, It installs an\r\nadditional application with the same functionality and these two applications monitor the removal of each other. If\r\nhttp://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/\r\nPage 3 of 4\n\none of the applications is deleted, the second application downloads and re-installs the removed one.\r\nNetwork activity\r\nBrainTest communicates with five servers:\r\nAPK files provider (http://psserviceonline[.]com/): This server provides APK files with advertising\r\nnetwork. We found two functions:\r\nThe first function is http://s.psserviceonline[.]com/api/s2s/tracks/ and is used for activation.\r\nThe second function is http://s.psserviceonline[.]com/api/ads/ which is used for obtaining a link to\r\nAPK file. Regardless of the parameters, it returns a json containing a link for APK file.\r\nFile Server (http://www.psservicedl[.]com): Contains android packages, java archives and zip archives\r\nwith exploits\r\nArchive Link domains: Three domains with the same functionality, but the application chooses one of\r\nthem to send request for archive link.\r\nhttp://www.himobilephone[.]com\r\nhttp://www.adsuperiorstore[.]com\r\nhttp://www.i4vip[.]com\r\nCounter Measures\r\nUse an up to date anti-malware software that is capable of identifying this threat. \r\nIf the threat reappears on the device after the first installation, it means that the malware managed to install the\r\npersistency module in the System directory. In this case, the device should be re-flashed with an official ROM.\r\nSource: http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/\r\nhttp://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/"
	],
	"report_names": [
		"braintest-a-new-level-of-sophistication-in-mobile-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791310,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b8fa6719d14ace7bbb0360b998c7029c4eb96be.pdf",
		"text": "https://archive.orkl.eu/8b8fa6719d14ace7bbb0360b998c7029c4eb96be.txt",
		"img": "https://archive.orkl.eu/8b8fa6719d14ace7bbb0360b998c7029c4eb96be.jpg"
	}
}