A new version of the Android spyware “Mandrake” has been discovered in five applications that have been downloaded 32,000 times from Google Play, the platform’s official app store.
Bitdefender First documented Researchers discovered Mandrake in 2020, highlighting the malware’s advanced espionage capabilities and noting that it had been in the wild since at least 2016.
Kaspersky Lab reports that a new variant of Mandrake has been discovered that is more obfuscated and evasive. Sneaking into Google Play Through five apps submitted to the store in 2022.
These apps were available for at least a year, but the last one, the most successful in terms of popularity and infections, AirFS, was removed at the end of March 2024.
Kaspersky identified five apps that carry Mandrake:
- Air FS – File Sharing over Wi-Fi by it9042 (downloaded 30,305 times between April 28, 2022 and March 15, 2024)
- Astro Explorer by shevabad (downloaded 718 times between May 30, 2022 and June 6, 2023)
- amber by kodaslda (downloaded 19 times between February 27, 2022 and August 19, 2023)
- Cryptopulse by shevabad (downloaded 790 times between November 2, 2022 and June 6, 2023)
- Brain Matrix By kodaslda (downloaded 259 times between April 27, 2022 and June 6, 2023)
According to the cybersecurity firm, most of the downloads came from Canada, Germany, Italy, Mexico, Spain, Peru and the UK.
Avoiding detection
Unlike typical Android malware that places malicious logic in an app’s DEX files, Mandrake hides its initial stages in a native library “libopencv_dnn.so” that is highly obfuscated using OLLVM.
Once the malicious app is installed, the library exports a function that decrypts the second stage loader DEX from the assets folder and loads it into memory.
The second stage loads a second native library, “libopencv_java3.so”, which requests permissions to draw the overlay and decrypts certificates for secure communication with the command and control (C2) server.
Once communication is established with the C2, the app sends a device profile and, if deemed appropriate, receives the core Mandrake components (stage 3).
Once the core components are activated, the Mandrake spyware is able to carry out a variety of malicious activities, including data collection, screen recording and monitoring, command execution, simulating user swipes and taps, file management, and app installation.
In particular, threat actors can trick users into installing unsafe files through a seemingly trustworthy process by displaying notifications that mimic Google Play, further encouraging users to install malicious APKs.
According to Kaspersky, the malware Session-based installation method How to get around installation restrictions on Android 13 (and above) APKs from unofficial sources.
Like other Android malware, Mandrake operates stealthily by asking the user for permission to run in the background and hiding the dropper app icon on the victim’s device.
The latest version of the malware also comes with batter-evasion capabilities, and now specifically checks for the presence of Frida, a dynamic instrumentation toolkit popular among security analysts.
It also checks the root status of the device and searches for specific binaries associated with it, checks if the system partition is mounted as read-only, and checks if development settings and ADB are enabled on the device.
The Mandrake threat remains, and although the five apps identified by Kaspersky as droppers are no longer available on Google Play, the malware may return via new apps that are harder to detect.
Android users are advised to only install apps from trusted sources, review user comments before installation, avoid allowing dangerous permission requests that may be unrelated to the app’s functionality, and ensure that Play Protect is always enabled.
Google released the following statement about the malicious apps found on Google Play:
“Google Play Protect is continuously improved with each app identified. We’re constantly enhancing its capabilities, including live threat detection to combat obfuscation and anti-evasion techniques,” Google told BleepingComputer.
“Android users are automatically protected from known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even if they come from sources other than Play.”