A new version of the notorious Android spyware, Mandrake, has been identified in five Google Play Store applications, according to a report by Kaspersky. The affected apps include AirFS, Amber, Brain Matrix, Cryptopulsing, and Astro Explorer, collectively amassing over 32,000 installations primarily in countries like Mexico, Spain, Peru, Germany, Canada, and the UK.
Despite their widespread distribution, these apps have been removed from the Play Store, with AirFS being the last to be taken down in March 2024.
The latest Mandrake variant employs advanced evasion techniques to avoid detection. Researchers Tatyana Shishkova and Igor Golovin highlighted that this version moves malicious functionalities to obfuscated native libraries, uses certificate pinning for C2 communications, and conducts tests to detect if it’s running on a rooted device or in an emulator.
Notably, it circumvents Android 13’s “Restricted Settings” feature by using a session-based package installer, showcasing its sophisticated approach to bypassing security measures.
The spyware’s operation unfolds in three stages. Initially, a dropper launches a loader to execute the malware’s core component. In the second stage, it gathers device data like connectivity status, battery level, IP address, and the current Google Play version.
During this phase, it can also remove the core module, request permission to draw overlays, and run in the background. Finally, in the third stage, the malware can load a URL that grants remote screen-sharing access to the threat actor.
In response to this incident, Google has acknowledged the situation and emphasized its ongoing efforts to enhance security. The company pointed out that Google Play Protect, which is enabled by default on all Android devices, already shields users from known versions of Mandrake.
However, Google also recognized the evolving nature of Mandrake, which continually devises new evasion tactics, making it a persistent challenge to counteract.
Mandrake has been active since 2016 but remained undetected until it was first documented by Bitdefender in 2020. Despite numerous attempts to curtail its spread, Mandrake has successfully evaded detection and removal multiple times over the past four years. This persistent and evolving threat underscores the ongoing battle between cybersecurity measures and sophisticated malware techniques.
