Google has removed 13 apps from the Play store after it was revealed that the software can root phones and introduce malware, according to mobile security firm Lookout.
“On 29 December we confirmed our suspicions that additional apps containing brain test malware were in Google Play. We found 13 brain test samples in total, written by the same developers. We contacted Google, who promptly removed these 13 apps from the Google Play store,” Chris Dehghanpoor, senior security analysist at Lookout, said in a blog post.
The apps, some of which were “fully functioning games”, can compromise a device by gaining access to root privileges, and will persist even after a factory reset on the handset. The malicious apps are thought to be the work of Chinese developers.
Lookout identified 13 malicious apps in the Google Play store – Cake Blast, Jump Planet, Honey Comb, Crazy Block, Crazy Jelly, Tiny Puzzle, Ninja Hook, Piggy Jump, Just Fire, Eat Bubble, Hit Planet, Cake Tower and Drag Box – some of which have been downloaded hundreds of thousands of times.
The apps also have an embedded feature that influences the review score in favour of a positive user experience.
“Mischievously, the apps are capable of using compromised devices to download and positively review other malicious apps in the Play store by the same authors. This helps increase the download figures in the Play store,” explained Dehghanpoor.
“Specifically, it attempts to detect if a device is rooted, and if so, copies several files to the system partition in an effort to ensure persistence even after a factory reset.”
The primary goal of the malware, according to Lookout, is to download and install additional Android application packages as directed to the command and control server.
“The developers also used infected devices to download other malicious applications they had submitted to the Play store, which would inflate the number of downloads each application received,” said Dehghanpoor.
“While the malware’s primary motive is selling guaranteed application-installs, its flexible design could allow the developers to use infected devices for more nefarious purposes if they desired.”
It is always difficult to remove persistent malware, but handsets infected with the apps can be re-flashed with a ROM supplied by the device’s manufacturer, according to Lookout.
This is not the first time Google has been forced to remove damaging software from the Play store. Most recently FireEye security researchers uncovered a malware variant called ‘Kemoge’ spreading worldwide that was able to disguise itself as popular Android apps.