A new version of the sophisticated Android spyware known as Mandrake has been uncovered in five applications that were available for download from the Google Play Store, remaining undetected for two years.
These applications amassed a total of over 32,000 installations before being removed from the app store, according to a report by Kaspersky on Monday. The majority of these downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K.
“The new samples included additional layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing various tests to check if Mandrake was running on a rooted device or in an emulated environment,” researchers Tatyana Shishkova and Igor Golovin stated.
Mandrake was first documented by Romanian cybersecurity vendor Bitdefender in May 2020, which described its methodical approach to infect a limited number of devices while remaining hidden since 2016.
The updated variants are noted for using OLLVM to hide their main functionality, and they also feature numerous sandbox evasion and anti-analysis techniques to prevent the code from being executed in environments operated by malware analysts.
The list of apps containing Mandrake includes:
- AirFS (com.airft.ftrnsfr)
- Amber (com.shrp.sght)
- Astro Explorer (com.astro.dscvr)
- Brain Matrix (com.brnmth.mtrx)
- CryptoPulsing (com.cryptopulsing.browser)
These apps operate in three stages: A dropper that initiates a loader responsible for executing the core component of the malware after downloading and decrypting it from a command-and-control (C2) server.
The second-stage payload can gather information about the device’s connectivity status, installed applications, battery percentage, external IP address, and current Google Play version. It can also wipe the core module and request permissions to draw overlays and run in the background.
The third stage supports additional commands to load a specific URL in a WebView, initiate a remote screen-sharing session, and record the device screen with the goal of stealing victims’ credentials and deploying more malware.
“Android 13 introduced the ‘Restricted Settings’ feature, which prevents sideloaded applications from directly requesting dangerous permissions,” the researchers explained. “To circumvent this feature, Mandrake processes the installation with a ‘session-based’ package installer.”
The Russian security firm described Mandrake as a dynamically evolving threat that continually refines its techniques to bypass defense mechanisms and evade detection.
“This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces,” it stated.
When contacted for comment, Google told The Hacker News that it is continuously enhancing Google Play Protect defenses as new malicious apps are flagged, and it is improving its capabilities to include live threat detection to combat obfuscation and anti-evasion techniques.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services,” a Google spokesperson said. “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”