A new version of the Mandrake Android spyware made it to Google Play in 2022 and remained undetected for two years, amassing over 32,000 downloads, Kaspersky reports.
Initially detailed in 2020, Mandrake is a sophisticated spyware platform that provides attackers with complete control over the infected devices, allowing them to steal credentials, user files, and money, block calls and messages, record the screen, and blackmail the victim.
The original spyware was used in two infection waves, starting in 2016, but remained unnoticed for four years. Following a two-year break, the Mandrake operators slipped a new variant into Google Play, which remained undiscovered over the past two years.
In 2022, five applications carrying the spyware were published on Google Play, with the most recent one – named AirFS – updated in March 2024 and removed from the application store later that month.
“As at July 2024, none of the apps had been detected as malware by any vendor, according to VirusTotal,” Kaspersky warns now.
Disguised as a file sharing app, AirFS had over 30,000 downloads when removed from Google Play, with some of those who downloaded it flagging the malicious behavior in reviews, the cybersecurity firm reports.
The Mandrake applications work in three stages: dropper, loader, and core. The dropper hides its malicious behavior in a heavily obfuscated native library that decrypts the loaders from an assets folder and then executes it.
One of the samples, however, combined the loader and core components in a single APK that the dropper decrypted from its assets.
Once the loader has started, the Mandrake application displays a notification and requests permissions to draw overlays. The application collects device information and sends it to the command-and-control (C&C) server, which responds with a command to fetch and run the core component only if the target is deemed relevant.
The core, which includes the main malware functionality, can harvest device and user account information, interact with applications, allow attackers to interact with the device, and install additional modules received from the C&C.
“While the main goal of Mandrake remains unchanged from past campaigns, the code complexity and quantity of the emulation checks have significantly increased in recent versions to prevent the code from being executed in environments operated by malware analysts,” Kaspersky notes.
The spyware relies on an OpenSSL static compiled library for C&C communication and uses an encrypted certificate to prevent network traffic sniffing.
According to Kaspersky, most of the 32,000 downloads the new Mandrake applications have amassed came from users in Canada, Germany, Italy, Mexico, Spain, Peru and the UK.
“Google Play Protect is continuously improving with each app identified. We’re always enhancing its capabilities, including upcoming live threat detection to help combat obfuscation and anti-evasion techniques. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson told SecurityWeek.
*Updated with statement from Google.
Related: New ‘Antidot’ Android Trojan Allows Cybercriminals to Hack Devices, Steal Data
Related: Mysterious ‘MMS Fingerprint’ Hack Used by Spyware Firm NSO Group Revealed
Related: Advanced ‘StripedFly’ Malware With 1 Million Infections Shows Similarities to NSA-Linked Tools
Related: New ‘CloudMensis’ macOS Spyware Used in Targeted Attacks
