Mandrake Spyware Returns with New Version in Google Play Apps, Using Advanced Evasion Methods

A new version of the notorious Android spyware, Mandrake, has been identified in five Google Play Store applications, according to a report by Kaspersky. The affected apps include AirFS, Amber, Brain Matrix, Cryptopulsing, and Astro Explorer, collectively amassing over 32,000 installations primarily in countries like Mexico, Spain, Peru, Germany, Canada, and the UK.

Despite their widespread distribution, these apps have been removed from the Play Store, with AirFS being the last to be taken down in March 2024.

The latest Mandrake variant employs advanced evasion techniques to avoid detection. Researchers Tatyana Shishkova and Igor Golovin highlighted that this version moves malicious functionalities to obfuscated native libraries, uses certificate pinning for C2 communications, and conducts tests to detect if it’s running on a rooted device or in an emulator.

Mandrake Spyware Returns with New Version in Google Play Apps, Using Advanced Evasion Methods
Mandrake Spyware Returns with New Version in Google Play Apps, Using Advanced Evasion Methods

Notably, it circumvents Android 13’s “Restricted Settings” feature by using a session-based package installer, showcasing its sophisticated approach to bypassing security measures.

The spyware’s operation unfolds in three stages. Initially, a dropper launches a loader to execute the malware’s core component. In the second stage, it gathers device data like connectivity status, battery level, IP address, and the current Google Play version.

During this phase, it can also remove the core module, request permission to draw overlays, and run in the background. Finally, in the third stage, the malware can load a URL that grants remote screen-sharing access to the threat actor.

In response to this incident, Google has acknowledged the situation and emphasized its ongoing efforts to enhance security. The company pointed out that Google Play Protect, which is enabled by default on all Android devices, already shields users from known versions of Mandrake.

However, Google also recognized the evolving nature of Mandrake, which continually devises new evasion tactics, making it a persistent challenge to counteract.

Mandrake has been active since 2016 but remained undetected until it was first documented by Bitdefender in 2020. Despite numerous attempts to curtail its spread, Mandrake has successfully evaded detection and removal multiple times over the past four years. This persistent and evolving threat underscores the ongoing battle between cybersecurity measures and sophisticated malware techniques.

Jyotsana Chaudhary
Jyotsana Chaudhary
Jyotsana Chaudhary is a non-conforming soul, driven by a love for research, exploration, and crafting distinctive written works. With an insatiable thirst for knowledge, she dives deep into diverse subjects, challenging norms and seeking enlightenment. Her passion for exploration transcends physical boundaries, leading her to uncover hidden gems in both the world and the mind. Through her unique writing, she weaves intricate narratives that provoke thought and ignite imagination. In nature, art, and introspection, she finds solace and inspiration. Guided by curiosity and a desire for self-expression, she carve a path marked by intellectual curiosity, adventurous spirit, and creative brilliance.
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x