S0293: BrainTest
Analyst context for executives and security teams
BrainTest matters because it is an Android malware family associated in ATT&CK with behaviors that can undermine mobile device trust after installation: privilege escalation, obfuscation, runtime code download, victim-generated traffic, and modification of client software binaries. For leaders, the decision point is whether mobile security, app vetting, and incident response processes can see behavior that static app review may miss.
Executive priority
Treat BrainTest as a mobile resilience and assurance use case rather than only a malware name. It highlights why organizations that allow Android devices in business workflows need evidence for mobile app governance, device integrity monitoring, network visibility, and response procedures for potentially privileged or persistent mobile compromise. Priority questions: which Android devices can access sensitive services, what telemetry proves app behavior after install, and how quickly can the organization isolate or remediate a suspect device?
Technical view
SOC, detection, and IR teams should validate coverage around the related ATT&CK behaviors: exploitation for privilege escalation, obfuscated files or information, downloading new code at runtime, generating outbound traffic from the victim, and compromising client software binaries. Because ATT&CK provides no dedicated detection text for BrainTest and no tactics are specified, detection engineering should be behavior-led: inspect mobile app/package characteristics, runtime network behavior, dynamic code loading indicators, unexpected SMS or web traffic generation where observable, and device integrity changes that could indicate modified system or client binaries.
Likely telemetry
- Mobile device management or enterprise mobility inventory for Android device/app presence and posture
- Mobile threat defense or endpoint telemetry for app behavior, privilege changes, dynamic code loading, and device integrity signals
- Application package analysis results, including obfuscation indicators and code-loading patterns
- Network telemetry from mobile devices, including unusual outbound web traffic destinations, volume, or timing
- SMS-related permission and usage evidence where available and legally/operationally collected
Detection direction
- Do not rely only on pre-install or static app review; T1407 indicates runtime code download can reduce the value of static-only checks.
- Tune detections around combinations of behaviors: obfuscated package content plus runtime code retrieval plus unusual outbound traffic is more decision-useful than any single weak signal.
- Validate whether mobile tooling can observe privilege escalation attempts or post-exploitation privilege state changes; many environments have limited mobile host telemetry.
- Review false positives for legitimate apps that use obfuscation, compression, dynamic modules, or high outbound traffic; require context such as source app reputation, permissions, destination patterns, and device role.
- Use the relationships to guide hunting and triage, but avoid assuming every BrainTest-related technique is visible in every environment without confirming telemetry collection.
Mitigation priorities
- Start with mobile asset and app governance: know which Android devices and apps are permitted to access business services.
- Prioritize mobile security controls that assess app reputation, permissions, runtime behavior, and device integrity rather than only installation state.
- Restrict sensitive access from devices that are unmanaged, noncompliant, rooted/jailbroken where detectable, or lacking required mobile security posture.
- Maintain incident response playbooks for suspect mobile malware: isolate business access, preserve available mobile telemetry, remove suspect apps, and re-enroll or rebuild devices when integrity cannot be trusted.
- Use this ATT&CK mapping to support compliance evidence that mobile risk is covered by inventory, monitoring, access control, and response processes.
Analyst notes and limits
The official ATT&CK object describes BrainTest only as an Android malware family and provides external references to Check Point and Lookout reporting. The supplied relationships are the main source of defensive context and should be used as behavior categories for validation, not as proof of current activity in any environment.
ATT&CK provides no official detection guidance, no specified tactics, no aliases, and no explicit platform field beyond the official Android malware description. Local device fleet composition, mobile telemetry availability, app governance model, and network collection determine practical detection and response feasibility.
BrainTest
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1404 | Exploitation for Privilege Escalation | Some original variants of BrainTest had the capability to automatically root some devices, but that behavior was not observed in later samples.CitationLookout-BrainTest |
| Mobile | T1645 | Compromise Client Software Binary | BrainTest uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.CitationLookout-BrainTest |
| Mobile | T1643 | Generate Traffic from Victim | BrainTest provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.CitationLookout-BrainTest |
| Mobile | T1407 | Download New Code at Runtime | Original samples of BrainTest download their exploit packs for rooting from a remote server after installation.CitationLookout-BrainTest |
| Mobile | T1406 | Obfuscated Files or Information | BrainTest stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.CitationLookout-BrainTest |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fda78617907a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CheckPoint-BrainTest
Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest – A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016.
Open source URL -
[2]
Lookout-BrainTest
Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.
Open source URL -
[3]
mitre-attack S0293Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.