Latest Mandrake Surveillance Software Detected in Google Play Store Applications After Two Years
An innovative version of an advanced Android surveillance software named Mandrake has been unearthed in five apps that were accessible for download via the Google Play Store and went unnoticed for a span of two years.
These apps accumulated over a total of 32,000 installations before they were removed from the app marketplace, as per Kaspersky’s report published on Monday. The majority of downloads came from Canada, Germany, Italy, Mexico, Spain, Peru, and the United Kingdom.
“The newly discovered instances came with enhanced layers of obfuscation and evasion tactics, such as relocating malicious features to cryptic native libraries, enforcing certificate pinning for C2 communications, and conducting various checks to verify whether Mandrake was operating on a rooted device or within a simulated environment,” stated researchers Tatyana Shishkova and Igor Golovin mentioned.
Mandrake was initially identified by Bitdefender, a cybersecurity company hailing from Romania in May 2020, outlining its calculated strategy to infect a small number of devices while successfully remaining hidden since 2016.
The updated versions are marked by the incorporation of OLLVM to conceal the core functionality, alongside a range of techniques to evade sandboxing and anti-analysis methodologies to thwart the execution of code in environments set up by malware analysts.
The list of apps housing Mandrake is as follows –
- AirFS (com.airft.ftrnsfr)
- Amber (com.shrp.sght)
- Astro Explorer (com.astro.dscvr)
- Brain Matrix (com.brnmth.mtrx)
- CryptoPulsing (com.cryptopulsing.browser)
These apps incorporate three stages: an initial component that triggers a loader responsible for running the main component of the espionage software after retrieving and decrypting it from a command-and-control (C2) server.
The secondary payload is proficient in gathering data on the device’s network status, installed apps, battery level, public IP address, and current Google Play version. Additionally, it can erase the primary module, request permissions for overlay drawing and background operation.
The tertiary stage supports added commands to load a specific URL in a WebView, commence a remote screen sharing session, and record the device screen with the aim of harvesting user credentials and distributing additional malware.
“Android 13 introduced the ‘Restricted Settings’ attribute, blocking sideloaded apps from directly soliciting high-risk permissions,” as stated by the researchers. “To bypass this feature, Mandrake handles the installation with a ‘session-based‘ package installer.”
The Russian cybersecurity firm portrayed Mandrake as a prime example of a dynamically adapting threat that consistently enhances its tactics to circumvent defense mechanisms and avoid detection.
“This underscores the impressive skills of threat actors, as well as the fact that stricter scrutiny for apps prior to their release in markets leads to more sophisticated, elusive threats infiltrating official app platforms,” they stated.
In response to inquiries, Google informed The Hacker News about its ongoing efforts to fortify Google Play Protect defenses whenever new harmful apps are identified and its expansion of capabilities to integrate real-time threat identification to counteract obfuscation and anti-detection tactics.
“Android users are automatically shielded against known iterations of this malware by Google Play Protect, which is activated by default on Android devices with Google Play Services,” shared a Google spokesperson. “Google Play Protect can alert users or restrict apps known for exhibiting malicious conduct, even when those apps hail from sources beyond Play.”
About Author
