Two Games Released in Google Play Can Root Android Devices

By Wish Wu, Ecular Xu

Android malware creators have recently been mixing business with play. We found two malicious gaming apps that were published on Google Play and are capable of rooting Android devices. If the apps Brain Test and RetroTetris ring a bell, better check your devices.

RetroTetris can be installed in Android versions starting from 2.3 Gingrebread while Brain Test can be installed in versions starting from 2.2 Froyo. Brain Test has been removed from Google Play since September 24. Meanwhile, we have informed the Google Play security team about the RetroTetris app and are awaiting their response.

RetroTetris

RetroTetris poses as an app for playing the popular old-school puzzle game Tetris. We estimate that it affects 500 to 1,000 Android devices, mostly in China.

Figure 1. Malicious RetroTetris app published on Google Play

It was first published on Google Play on August 21. However, this game can also be found outside of the official app store. Further monitoring revealed that it was also distributed to (but may not be limited to) the following third-party app stores:

Appszoom: http://cn.{BLOCKED}om.com/android-game/retrotetris-ppwst.html
WanDouJia: http://www.{BLOCKED}jia.com/apps/com.antdao.tetris
YingYongBao: http://{BLOCKED}d.myapp.com/myapp/detail.htm?apkName=com.antdao.tetris
360Market: http://{BLOCKED}u.360.cn/detail/index/soft_id/2911263

The app runs a malicious code to send commands to the startRootRunScript function of the RootGenius SDK (software development kit). This SDK helps the app download exploits from the Internet, depending on the Android version and other details. These exploits allow the app to gain root privileges on the device.

Figure 2. Malicious code to install malicious app from the Internet

Rootkit	CVE Number
FramaRoot	CVE-2013-6282
TowelRoot	CVE-2014-3153
GiefRoot	CVE-2014-7911 and CVE-2014-4322
PingPongRoot	CVE-2015-3636

Table 1. Rootkits and their exploits, downloaded by RetroTetris online

Further investigation led us to a website related to RetroTetris, shuame[dot]com, which features two tools to root Android devices. One of these tool codes was found to be similar to the app’s code, leading us to believe that there is a relationship between the group or individuals running the website and the RetroTetris malware creator.

Figure 3. Tool code with various similarities as the malware code

Brain Test

Brain Test poses as a game that tests one’s mental abilities, including checking your “left brain” versus your “right brain” and playing mental activities in a minute. Sounds challenging? This was the hook that the app creators used when they first published the game on Google Play on August 8 under the name “com.mile.brain,” which was later upgraded to a version packed using the Qihoo Android packer.

Google removed the first version from the app store on August 26 but the creators again published a version on September 10 under the package name “com.zmhitlte.brain,” this time using the Baidu protect packer. Google caught it again and removed it after six days on September 16. However, the creators tried again, changing the app name to “Brain Test HD” and the package name to “com.fjsc.brainhd.” This version was also removed from Google Play on September 24.

Once inside the device, it will download and install other malicious apps and root the device, allowing it to execute any malicious code. Infection counts have gone over 10,000, from September 11 to September 25. Infections are mostly concentrated on India, the Philippines, Indonesia, Russia, and Taiwan. We believe that although the malware has been removed from Google Play, it still exists in victim’s devices.

Figure 4. Malicious Brain Test app icon on Android device

Brain Test communicates with the website s[dot]psserviceonline[dot]com to perform its malicious activities. Looking further, we found that 385 other malware that are not found on Google Play also communicate with the URL, including the ones below:

com.{BLOCKED}e.mp3.music
com.as.{BLOCKED}b.downloader
com.gl.{BLOCKED}e.wallpaper
com.{BLOCKED}ot.master
com.sex.{BLOCKED}on.superman
com.sex.{BLOCKED}on.xman
com.{BLOCKED}d.save.battery
com.{BLOCKED}c.sms

Solutions and Detections

Trend Micro customers are protected from these threats. Android device users should take precaution when downloading apps from various sources, including the Google Play and third-party app stores. Mobile solutions like the Trend Micro Mobile Security (TMMS) blocks rootkit routines like the ones exhibited by the RetroTetris and Brain Test apps with the use of a trusted mobile app reputation service. It identifies routines that collect and potentially steal private information and immediately blocks them in real time.

The following SHA1s and detections are related to these threats:

RetroTetris