Mandrake Spyware Resurfaces in Google Play Store Apps After 2 Years

A sophisticated Android spyware known as Mandrake has reappeared, hidden within five apps that were available on the Google Play Store for two years without detection.

According to the report, these applications garnered over 32,000 installations before they were finally removed from the platform. The majority of these downloads occurred in countries such as Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K.

“The latest versions of Mandrake introduced new layers of obfuscation and evasion, including moving malicious functionalities to obfuscated native libraries, using certificate pinning for secure command-and-control (C2) communications, and conducting a variety of checks to determine if the malware was running on a rooted device or in an emulated environment,” explained researchers.

Originally discovered by Bitdefender in May 2020, Mandrake was noted for its careful and deliberate approach, infecting only a small number of devices while remaining undetected since its emergence in 2016. The malware has not yet been attributed to any specific threat actor or group.

The updated versions of Mandrake are particularly noteworthy for their use of OLLVM to obscure the core functionality of the spyware, as well as employing advanced sandbox evasion and anti-analysis techniques. These measures are designed to prevent the code from being executed in environments monitored by security analysts.

The five apps found to contain Mandrake include:

– AirFS (com.airft.ftrnsfr)
– Amber (com.shrp.sght)
– Astro Explorer (com.astro.dscvr)
– Brain Matrix (com.brnmth.mtrx)
– CryptoPulsing (com.cryptopulsing.browser)

These apps operate in three stages: First, a dropper launches a loader responsible for executing the malware’s core component after it is downloaded and decrypted from a C2 server.

The second stage of the payload gathers detailed information about the device, including connectivity status, installed applications, battery level, external IP address, and the current version of Google Play. It also has the capability to remove the core module and request permissions to draw overlays and run background processes.

In the third stage, Mandrake can execute additional commands such as loading a specific URL in a WebView, initiating remote screen sharing, and recording the device screen. These actions are primarily aimed at stealing the victim’s credentials and deploying more malware.

“Android 13 introduced a ‘Restricted Settings’ feature, which prevents sideloaded apps from directly requesting dangerous permissions,” the researchers noted. “To circumvent this, Mandrake uses a ‘session-based’ package installer during the installation process.”

Mandrake as a dynamically evolving threat that continually refines its techniques to evade detection and bypass defense mechanisms.

“This situation underscores the skills of these threat actors and highlights that stricter app publishing controls can lead to more sophisticated and harder-to-detect threats infiltrating official app marketplaces,” the company added.

In response to the findings, Google has stated that it is continually enhancing Google Play Protect to better detect malicious apps, including live threat detection to combat obfuscation and anti-evasion tactics.

“Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on devices with Google Play Services,” a Google spokesperson said. “Google Play Protect can warn users or block apps that exhibit malicious behavior, even if those apps are sourced from outside the Play Store.”

To protect yourself from spyware like Mandrake, it’s crucial to only download apps from trusted developers and read user reviews before installation. Regularly update your Android device to benefit from the latest security patches and enable Google Play Protect, which automatically scans for malicious apps.

Avoid sideloading apps from unknown sources, as these can bypass security features. Additionally, be cautious about granting unnecessary permissions to apps, particularly those that request access to sensitive data or functions like screen recording or remote control.