Cybersecurity experts have recently uncovered a new iteration of the Mandrake Android spyware lurking within applications on the Google Play Store. Initially identified by Bitdefender in 2020, this spyware has been active since at least 2016. The latest findings from Kaspersky reveal that this evolved variant of Mandrake has proven adept at evading detection, managing to infiltrate five different apps submitted in 2022. Remarkably, most of these applications remained available for download for nearly a year, while one managed to stay on the platform for two years before it was finally flagged and removed.
Delete these apps right now
As of now, all malicious applications containing this new version of Mandrake have been expunged from the Google Play Store. However, if you have any of these apps installed on your Android device, it is imperative to delete them manually. Below is a list of the affected apps along with their download counts:
- AirFS – 30,305 downloads
- Astro Explorer – 718 downloads
- Amber – 19 downloads
- CryptoPulsing – 790 downloads
- Brain Matrix – 259 downloads
Among these, AirFS stood out as the most elusive, remaining undetected for two years before its removal in March of this year. According to Kaspersky’s analysis, users primarily downloaded these apps from countries including the U.K., Canada, Germany, Italy, Mexico, Spain, and Peru.
Hiding in plain sight
The Mandrake spyware employs a unique approach compared to conventional Android malware. Rather than embedding malicious code directly into an app’s DEX file, it conceals its initial stage within a native library named “libopencv_dnn.so,” which is obfuscated using OOLVM. Once this library is installed on a victim’s Android device, it exports functions that decrypt the second-stage loader DEX from its assets folder and loads it into memory.
This second stage not only requests permission to display overlays—often utilized in overlay attacks—but also loads another native library, “libopencv_java3.so.” This library is responsible for decrypting a certificate that facilitates secure communication with a hacker-controlled command and control (C2) server. Once connected, the malicious app transmits a device profile and receives the third stage, which is the actual Mandrake spyware. This spyware is capable of executing a variety of harmful actions, including data collection, screen recording, command execution, simulating user interactions, managing files, and even installing additional malicious applications.
Moreover, the perpetrators behind this spyware have ingeniously crafted notifications that mimic genuine ones from the Play Store, tricking users into side-loading further malware through APK files. Like many other dangerous Android malware variants, Mandrake exploits Android permissions to operate discreetly in the background, often obscuring app icons to remain unnoticed.
How to stay safe from Android malware
While the five malicious apps have been removed from the Play Store, the potential for cybercriminals to deploy new, more sophisticated applications to propagate the spyware remains high. Therefore, exercising caution when downloading and installing new apps on Android devices is essential. Users should scrutinize reviews and ratings closely, while also seeking out external third-party reviews and video demonstrations of the app in action.
Additionally, ensuring that Google Play Protect is activated on your device is crucial, as it scans both existing and newly downloaded apps for malware. For enhanced security, consider complementing this protection with one of the leading Android antivirus applications available.
The persistent success of malicious apps has made them a favored tool for hackers, indicating that this threat is unlikely to dissipate despite Google’s ongoing efforts to mitigate it. Thus, thorough research before installing any new applications on your Android smartphone or tablet is paramount.
