Mandrake Spyware targets Google Play Store
A new wave of the advanced Android spyware known as Mandrake was discovered in five apps on the Google Play Store, which remained undetected for two years and accumulated over 32,000 downloads.
Most of the installations originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. The latest version of Mandrake includes new obfuscation and evasion techniques, such as shifting malicious functionality to obfuscated libraries and using certificate pinning for C2 communications.
First reported by Bitdefender in May 2020, Mandrake has been active since 2016. The updated variants use advanced obfuscation and sandbox evasion techniques, preventing the malware from being analyzed. The affected apps include AirFS, Amber, Astro Explorer, Brain Matrix, and CryptoPulsing.
Mandrake initially installs a dropper, which downloads and executes the main malware component, followed by collecting device information and enabling further malicious activities like screen recording and credential theft.
As the researchers said, “Android 13 introduced the ‘Restricted Settings’ feature, which prohibits sideloaded applications from directly requesting dangerous permissions,”. To bypass this feature, Mandrake processes the installation with a ‘session-based’ package installer.
Google said it is constantly strengthening its defenses in Google Play Protect, and Android users are automatically protected against known versions of this malware by blocking apps known to exhibit malicious behavior, even if those apps come from sources outside of Play.
