A sophisticated Android spyware known as Mandrake has resurfaced, concealed within five seemingly benign applications available on the Google Play Store. This spyware managed to evade detection for a staggering two years before being discovered, highlighting the persistent and evolving threat posed by malicious actors in the digital realm.
The Discovery and Spread
According to a detailed report by cybersecurity firm Kaspersky, the infected applications amassed over 32,000 installations before they were finally removed from the app store. The majority of these downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K., indicating a wide geographic spread of the threat.
Sophisticated Evasion Techniques
Researchers Tatyana Shishkova and Igor Golovin from Kaspersky noted that the new variants of Mandrake incorporated advanced layers of obfuscation and evasion techniques. These included moving malicious functionality to obfuscated native libraries, using certificate pinning for command-and-control (C2) communications, and performing extensive checks to determine if Mandrake was running on a rooted device or in an emulated environment.
Mandrake’s ability to stay hidden and undetected for such an extended period is a testament to the evolving sophistication of cyber threats. Originally documented by Romanian cybersecurity vendor Bitdefender in May 2020, Mandrake has been silently infecting devices since 2016, targeting a select number of victims to avoid drawing attention.
Technical Breakdown
The updated Mandrake variants employ OLLVM to obscure their main functionality. This is coupled with a range of sandbox evasion and anti-analysis techniques designed to prevent the code from being executed in controlled environments used by malware analysts.
The five apps identified as carriers of the Mandrake spyware are:
- AirFS (com.airft.ftrnsfr)
- Amber (com.shrp.sght)
- Astro Explorer (com.astro.dscvr)
- Brain Matrix (com.brnmth.mtrx)
- CryptoPulsing (com.cryptopulsing.browser)
These apps deploy a three-stage attack mechanism. The first stage involves a dropper that initiates a loader, which in turn downloads and decrypts the core component of the malware from a C2 server. The second stage payload collects extensive information about the device, including its connectivity status, installed applications, battery percentage, external IP address, and current Google Play version. It can also request permissions to draw overlays and run in the background, adding to its stealth.
The third stage supports more advanced commands, such as loading specific URLs in a WebView, initiating remote screen sharing sessions, and recording the device screen. These capabilities enable the spyware to steal credentials and deploy additional malware.
Countermeasures and Ongoing Threats
The introduction of Android 13’s “Restricted Settings” feature, which prevents sideloaded apps from directly requesting dangerous permissions, posed a challenge for Mandrake. However, the spyware circumvented this by processing installations with a “session-based” package installer, demonstrating its adaptability.
Kaspersky’s analysis underscores the dynamic nature of Mandrake, describing it as a continuously evolving threat that refines its techniques to bypass security measures and evade detection. The sophistication of these threat actors underscores the need for more stringent controls and rigorous vetting of applications before they are published on app marketplaces.
Google’s Response
In response to the discovery, Google has emphasized its ongoing efforts to enhance Google Play Protect defenses. A Google spokesperson informed The Hacker News that the company is continuously improving its capabilities to include live threat detection, which is crucial for tackling advanced obfuscation and anti-evasion techniques employed by malware like Mandrake.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services,” the spokesperson said. “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
Conclusion
The resurgence of Mandrake spyware in the Google Play Store highlights the relentless ingenuity of cybercriminals and the ongoing challenge of securing digital ecosystems. As malicious actors develop increasingly sophisticated techniques to infiltrate app marketplaces, the importance of robust cybersecurity measures and continuous vigilance cannot be overstated. Users are advised to remain cautious, regularly update their devices, and rely on trusted security tools to mitigate the risk of malware infections.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Major Acronis Vulnerability Exploited in the Wild: Update Your Systems Now
Magnificent beat I would like to apprentice while you amend your site how can i subscribe for a blog web site The account helped me a acceptable deal I had been a little bit acquainted of this your broadcast offered bright clear idea
My brother recommended I might like this web site He was totally right This post actually made my day You cannt imagine just how much time I had spent for this information Thanks
Somebody essentially help to make significantly articles Id state This is the first time I frequented your web page and up to now I surprised with the research you made to make this actual post incredible Fantastic job
Thanks for your encouraging words. Keep Visiting https://www.cyasha.com for more updates. Stay Cyber Aware & Secure.