Mandrake Spyware Resurfaces in Google Play Store Apps

A sophisticated Android spyware known as Mandrake has been detected in five applications available on the Google Play Store. This spyware remained undetected for two years before being discovered. According to Kaspersky, these infected apps were downloaded over 32,000 times before being removed. Most downloads occurred in Canada, Germany, Italy, Mexico, Spain, Peru, and the United Kingdom.

You might be interested in: FrostyGoop: A New Threat to Industrial Control Systems

Advanced Obfuscation and Evasion Techniques

Researchers reported that the new Mandrake variants include advanced obfuscation and evasion techniques. These involve moving malicious functions to obfuscated native libraries, using certificate pinning for command-and-control (C2) communications, and performing various tests to detect if Mandrake is running on a rooted device or in an emulated environment.

Mandrake was initially discovered by Bitdefender, a Romanian cybersecurity firm, in May 2020. They revealed its method of infecting a small number of devices while remaining undetected since 2016. The latest versions of Mandrake use OLLVM to obscure their core functionality and employ numerous sandbox evasion and anti-analysis measures to prevent detection by malware analysts.

List of Infected Apps

The apps identified to contain Mandrake spyware are:

• AirFS (com.airft.ftrnsfr)
• Amber (com.shrp.sght)
• Astroexplorer (com.astro.dscvr)
• Brain Matrix (com.brnmth.mtrx)
• Crypto Pulsing (com.cryptopulsing.browser)

These apps execute the malware in three stages. First, they download and decrypt the malware from a C2 server. Then, the dropper runs a loader that activates the main component. The second-stage payload collects data on the device’s connectivity, installed apps, battery status, external IP address, and current Google Play version. It can also delete the core module and request permissions for overlays and background running. The third stage includes commands to load specific URLs, initiate remote screen sharing, and record the device screen to capture credentials and spread further malware.

Bypassing Android 13’s ‘Restricted Settings’

The researchers noted that Android 13 introduced the ‘Restricted Settings’ feature to prevent sideloaded apps from requesting dangerous permissions directly. Mandrake circumvents this by using a ‘session-based’ package installer.

Ongoing Threat and Google’s Response

Mandrake represents a continually evolving threat, constantly improving its techniques to bypass security measures and avoid detection. This highlights the attackers’ high skill levels and the need for stricter app review processes in official marketplaces.

In response to the discovery, Google stated that it continually strengthens Google Play Protect defenses and expands capabilities for live threat detection to combat obfuscation and anti-evasion tactics. A Google spokesperson assured that Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on devices with Google Play Services. Google Play Protect can warn users or block apps displaying malicious behavior, even if these apps are sourced outside of the Play Store.