Skip to content

Mandrake spyware returns to Android’s Play Store after two years

  • by
  • 2 min read

Security researchers have discovered a new variant of the infamous Mandrake spyware on the Google Play Store in a recent sweep. Analysis revealed at least five apps infected with Mandrake available on the Google Play Store between 2022 and 2024 with over 32,000 installations, with most of the downloads coming from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.

The affected apps include AirFS, Astro Explorer, Amber, CryptoPulsing, and Brain Matrix. All the apps were released on the Play Store in 2022, with updates as recent as 2023. AirFS, one of the first infected apps to appear on the Play Store, received its last update on March 15, 2024.

Mandrake was originally discovered by Bitdefender researchers in May 2020. They pointed out the spyware’s approach of targeting a handful of devices while mostly remaining hidden. At the time, it had been active since at least 2016.

The new variant was discovered by Kaspersky researchers, who explained that the “new samples included new layers of obfuscation and evasion techniques” in a technical breakdown. These include moving malicious functionality of hidden native libraries, using certificate pinning for command and control (C2) communications, and running multiple tests to check if the spyware was running on a rooted device or in an emulated environment.

To bypass the “Restricted Settings” feature in Android 13 and above that prohibits sideloaded apps from directly requesting sensitive permissions, the spyware processes the installation in a “session-based” package installer. This breaks down the app’s installation into multiple sessions, bypassing Android security measures.

The spyware breaks down its malicious activity into three stages. The first stage mostly involves installation and permission gathering, with no malicious functionality active. This makes the app appear legitimate before the second and third stages add malicious functionality, including but not limited to hiding the app icon, removing downloaded cores, requesting the “draw overlay” permission, automatically taking background running permissions, and collecting information, including connectivity status, battery optimisation, adb state, external IP address, and Google Play version.

In the News: VMware flaw exposes servers to full admin control by threat actors

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>