Emergence of Mandrake Spyware in Popular Apps
A recent investigation has unveiled a new variant of the sophisticated Android spyware known as Mandrake, which had been stealthily embedded in five applications available on the Google Play Store for the past two years. This discovery, reported by Kaspersky, highlights a concerning trend in mobile security, as these applications collectively garnered over 32,000 downloads before their removal from the platform. The majority of these installations were traced back to users in Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K.
Researchers Tatyana Shishkova and Igor Golovin noted that the latest samples of Mandrake have introduced advanced layers of obfuscation and evasion techniques. These include relocating malicious functionalities to obfuscated native libraries, employing certificate pinning for command-and-control (C2) communications, and conducting a series of tests to determine if the malware is operating on a rooted device or within an emulated environment.
Originally documented by Romanian cybersecurity firm Bitdefender in May 2020, Mandrake has been lurking in the shadows since 2016, deliberately targeting a limited number of devices. To date, the malware has not been definitively linked to any specific threat actor or group.
The updated variants of Mandrake are particularly notable for their use of OLLVM, which conceals the malware’s core functionalities. Additionally, they employ a variety of sandbox evasion and anti-analysis techniques designed to thwart execution in environments typically used by malware analysts.
The applications identified as containing Mandrake include:
- AirFS (com.airft.ftrnsfr)
- Amber (com.shrp.sght)
- Astro Explorer (com.astro.dscvr)
- Brain Matrix (com.brnmth.mtrx)
- CryptoPulsing (com.cryptopulsing.browser)
These applications utilize a three-stage process for the malware’s deployment. Initially, a dropper launches a loader that executes the core malware component after it has been downloaded and decrypted from a C2 server. The second stage involves the payload collecting various device information, including connectivity status, installed applications, battery percentage, external IP address, and the current version of Google Play. It also has the capability to wipe the core module and request permissions for overlay displays and background operation.
The third stage of Mandrake supports additional commands, enabling it to load specific URLs in a WebView, initiate remote screen sharing sessions, and record device screens—all with the intent of stealing user credentials and deploying further malware.
According to researchers, Android 13 introduced the ‘Restricted Settings’ feature, which prevents sideloaded applications from directly requesting dangerous permissions. Mandrake circumvents this by processing installations through a ‘session-based’ package installer. Kaspersky describes Mandrake as a dynamically evolving threat, continuously refining its methods to evade detection and bypass defense mechanisms.
This situation underscores the impressive skills of threat actors and raises concerns about the effectiveness of stricter controls on applications prior to their publication in app marketplaces. Kaspersky emphasizes that these measures often lead to the emergence of more sophisticated and harder-to-detect threats infiltrating official app stores.
In response to these developments, Google has stated that it is actively enhancing Google Play Protect defenses to identify new malicious applications. A spokesperson for Google reassured users that Android devices equipped with Google Play Services are automatically protected against known versions of this malware. Google Play Protect is designed to warn users or block apps exhibiting malicious behavior, even if they originate from outside the Play Store.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
