Brain Test 2 is rated 18 for its gun violence and murdering was a piece of malware masquerading as an Android app that tested the users IQ. Brain Test was discovered by security firm Check Point and was available in the Google Play app store until 15 September 2015. Check Point described Brain Test as "A new level of sophistication in malware". Brain Test was uploaded on two separate occasions, starting in August 2015, both times Google's "Bouncer" failed to detect the malware. After the first removal on 24 August 2015 the software was reintroduced using an obfuscation technique. Tim Erin of Tripwire said the "Bypassing the vetting processes of Apple and Google is the keystone in a mobile malware campaign." The malware turned out to include a rootkit, the revelation being described as "more cunning than first thought". The malware is thought to have been written by Chinese actor, according to Shaulov of Check Point, based on the use of a packing/obfuscation tool from Baidu. Eleven Paths, a Telefonica-owned company, found links to may other pieces of malware, based on the id used to access Umeng, Internet domains accessed by the apps and shared jpg and pngimages. It appears the app was first detected on a Nexus 5 using Check Point's Mobile Threat Prevention System. The fact that the system was unable to remove the malware alerted the software company's researchers that it was an unusual threat. According to Check Point, it may be necessary to re-flash the ROM on a device if Brain Test has successfully installed a reinstaller in the system directory.
Features
The malware was uploaded in two forms. The packing feature was only present in the second.
Evades detection by Google Bouncer by avoiding malicious behavior on Google servers with IP addresses209.85.128.0–209.85.255.255, 216.58.192.0–216.58.223.255, 173.194.0.0–173.194.255.255, or 74.125.0.0–74.125.255.255, or domain names "google", "android" or "1e100".
Root exploits. Four exploits to gain root access to the system were included, to account for variations in the kernel and drivers of different manufacturers and Android versions, which provide alternative paths to root.
External payloads - via command and control system. The system used up to five external servers to provide variable payload, believed to be primarily advertising related.
