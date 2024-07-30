A new update of a sophisticated Android spyware called Mandrake has been discovery in five apps that were available for download from the Google Play Store and remained undetected for two years.

The Discovery of the Mandrake Spyware

The apps attracted a total of more than 32,000 installs before being removed from the store, Kaspersky said in a report Monday. Most of the downloads came from Canada, Germany, Italy, Mexico, Spain, Peru and the United Kingdom.

“The new samples included new levels of obfuscation and evasion techniques, such as moving malicious functionality into obfuscated native libraries, using certificate pinning for C2 communications, and running a wide range of tests to verify whether Mandrake was running on a rooted device or in an emulated environment.“, they have said researchers Tatyana Shishkova and Igor Golovin.

How was this spyware discovered?

Mandrake was documented first reported by Romanian cybersecurity firm Bitdefender in May 2020, describing its deliberate approach to infect a small number of devices while managing to remain in the shadows since 2016.

The Mandrake Variants

The updated variants are characterized by the use of OLLVM to hide core functionality, while also integrating a number of sandbox and anti-analysis evasion techniques to prevent code execution in environments managed by malware analysts.

The list of apps containing Mandrake is as follows:

AirFS (com.airft.ftrnsfr)

(com.airft.ftrnsfr) Amber (com.shrp.sght)

(com.shrp.sght) AstroExplorer (com.astro.dscvr)

(com.astro.dscvr) BrainMatrix (com.brnmth.mtrx)

(com.brnmth.mtrx) CryptoPulsing (com.cryptopulsing.browser)

The applications are divided into three stages: a dropper that launches a loader responsible for executing the main malware component after downloading and decrypting it from a command and control (C2) server.

Android apps behind which Mandrake spyware was hidden

The second stage payload can also collect information about the device’s connectivity status, installed applications, battery percentage, external IP address, and current Google Play version. It can also erase the main module and request permissions to overlay screens and run in the background.

The third stage supports additional commands to load a specific URL into a WebView and start a remote screen sharing session, as well as record the device’s screen with the aim of stealing victims’ credentials and installing additional malware.

“Android 13 introduced the ‘Restricted Settings’ feature, which prohibits manually loaded apps from directly requesting dangerous permissions“, the researchers said. “To circumvent this feature, Mandrake processes the installation with a program installation based on session.”

The Russian security firm described Mandrake as an example of an ever-evolving threat, constantly refining its techniques to bypass defense mechanisms and avoid detection.

“This highlights the considerable expertise of these cybercriminals and also that more stringent controls for applications before publication on the markets only result in more sophisticated and difficult to detect threats sneaking into official app marketplaces.“, he said.

Contacted for comment, Google said it is continually strengthening Google Play Protect’s defenses as new malicious apps are reported, and is enhancing its capabilities to include real-time threat detection to address obfuscation and evasion techniques.

“Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services.“, said a Google spokesperson. “Google Play Protect can warn users or block apps known to be malicious, even when those apps come from sources outside of Play..”