A new version of the Android spyware ‘Mandrake’ has been found in five applications. Reportedly, the malware has been downloaded 32,000 times from Google Play, which is Android’s official app store.
Mandrake spyware can perform a wide range of malicious activities, including data collection, screen recording and monitoring, command execution, simulation of user swipes and taps, file management, and app installation. As reported by Kaspersky, Mandrake hides its initial stage in a native library, ‘libopencv_dnn.so,’ which is heavily obfuscated using OLLVM.
What went wrong
Kaspersky now reports that a new variant of Mandrake that features better obfuscation and evasion entered Google Play through five apps submitted to the store in 2022. But what went wrong and how does ‘Mandrake’ affect you? Here’s how ‘Mandrake’ has evolved to pose a bigger threat to your device:
- After a two-year break, the Mandrake Android spyware returned to Google Play.
- The threat actors have moved the core malicious functionality to native libraries obfuscated with OLLVM.
- Communication with command-and-control servers (C2) now uses certificate pinning to prevent capture of SSL traffic.
- Mandrake is equipped with a diverse arsenal of sandbox evasion and anti-analysis techniques
According to Kaspersky, which is a cybersecurity firm, most of the downloads come from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.So which are the apps that could be in danger? Kaspersky identified the five Mandrake-carrying apps as follows:
- AirFS – File sharing via Wi-Fi by it9042 (30,305 downloads between April 28, 2022, and March 15, 2024)
- Astro Explorer by shevabad (718 downloads from May 30, 2022 to to June 6, 2023)
- Amber by kodaslda (19 downloads between February 27, 2022, and August 19, 2023)
- CryptoPulsing by shevabad (790 downloads from November 2, 2022, to June 6, 2023)
- Brain Matrix by kodaslda (259 downloads between April 27, 2022 and June 6, 2023)
So, in order to stay safe you should avoid installing the above-mentioned apps.
The safety road ahead
The threat actors are expected to prompt users to install further malicious APKs by displaying notifications that mimic Google Play. The fraudsters aim to trick users into installing unsafe files through a seemingly trusty process. Moreover, to avoid such mishaps you should follow some safety precautions. These includes:
- Install apps from reputable publishers
- You should check user comments before installing
- Try to avoid granting requests for risky permissions that seem unrelated to an app’s function
- Lastly, make sure that Play Protect is always active
Furthermore, “Google Play Protect is continuously improving with each app identified. We’re always enhancing its capabilities, including upcoming live threat detection to help combat obfuscation and anti-evasion techniques,” Google told BleepingComputer.
Follow FE Tech Bytes on Twitter, Instagram, LinkedIn, Facebook