Kaspersky has discovered that Mandrake spyware has been hidden for two years and has already been installed more than 32,000 times through Google Play. Suggested tips to increase security.
Kaspersky researchers have discovered a new spyware campaign that spreads Mandrake malware via Google Play, posing as legitimate apps related to cryptocurrency, astronomy and various utilities.
Kaspersky experts have discovered 5 Mandrake apps on Google Play that have been available for two years now. They have been downloaded more than 32,000 times and have advanced evasion features and techniques. This makes these apps impossible for security providers to detect.
Mandrake First discovered in 2020, the spyware is a sophisticated Android spyware platform that has been in operation since at least 2016. In April 2024, Kaspersky researchers discovered a strange sample. This suggests that it is a new version of Mandrake with improved functionality.
These new trailers feature advanced cloaking and evasion techniques. These include converting malicious functions into obfuscated native libraries using OLLVM, using certificates to securely communicate with command and control (C2) servers, and performing extensive investigations to detect whether Mandrake is running on a rooted device or inside an emulated environment.
The distinguishing features of the new version of Mandrake are: the addition of advanced anonymization techniques designed to bypass Google Play security checks and impede analysis.
The five apps that contain Mandrake spyware on Google Play were launched as a Wi-Fi file sharing app, an astronomy service app, the Amber app for the Genshin game, and a cryptocurrency app. The apps that contain puzzle games as of July 2024, according to VirusTotal, none of the apps have been detected as malware by any vendor.
Although these malicious apps are no longer available on Google Play, they were previously available for download in several countries. The majority of downloads were in Canada, Germany, Italy, Mexico, Spain, Peru, and the United Kingdom.
Considering the similarities between the current campaigns and previous campaigns against C2 domains registered in Russia, Kaspersky has assumed with high confidence that the threat actors are the same as those identified in Bitdefender’s initial discovery report.
“After evading detection for four years in the initial release, the latest Mandrake campaign remains undetected on Google Play for two years, demonstrating the advanced skills of the threat actors involved,” said Tatiana Shishkova, senior security researcher on the GReAT team at Kaspersky.
It also highlights a worrying trend. Due to tighter restrictions and more stringent security checks, the threats that sneak into official app stores are becoming increasingly sophisticated. This makes them harder to detect.
Mandrake Recommended Safety Tips
- Use the official market
Download apps and software from official and trusted sources. Avoid third-party app stores as there is a high risk of hosting such apps and software. Even official platforms can host malicious apps. Always check ratings and reviews before downloading.
- Use reputable security software.
Install and maintain reputable antivirus and antimalware software on your device. Scan your device regularly for potential threats. Keep your security software up to date with Kaspersky Premium to protect users from threats.
- Learn more about scams
Stay up to date on the latest cyber threats, techniques and tactics. Be wary of suspicious requests and offers. Or urgent requests for personal or financial information.
Read more news
Follow us on
“Unapologetic communicator. Wannabe web lover. Friendly travel scholar. Problem solver. Amateur social mediaholic.”