Mandrake Spyware Resurfaces: Hidden in Popular Google Play Apps for Two Years
Mandrake spyware has reappeared in five applications on the Google Play Store after staying hidden for two years. This spyware, which has affected over 32,000 downloads, was hard to detect, raising concerns about mobile security.
The Discovery of Mandrake Spyware
Technical Details
Researchers from Kaspersky have discovered a new version of Mandrake. This version uses complex techniques to avoid detection. These techniques include hiding malicious functions inside unclear native libraries and employing certificate pinning for safe communication with command-and-control (C2) servers. This design makes it hard for security tools to recognize the malware.
Background
Mandrake first appeared in May 2020. The Romanian company Bitdefender documented its operations, stating that it aimed to infect only a few devices while remaining undetected. The spyware has been active since 2016 and is now being refined to bypass security measures.
Applications
The applications containing Mandrake include:
- AirFS (com.airft.ftrnsfr)
- Amber (com.shrp.sght)
- Astro Explorer (com.astro.dscvr)
- Brain Matrix (com.brnmth.mtrx)
- CryptoPulsing (com.cryptopulsing.browser)
These apps attracted users mainly from countries like Canada, Germany, and Spain until they were removed.
Malware Implant
Mandrake operates using a three-stage attack process. First, it drops a loader. This loader then downloads and executes the main component of the malware from the compromised server.
Infection Chain
The infection starts when a user installs one of the malicious apps. The dropper sets up the loader, which executes the primary malware after reaching out to the C2 server. This approach allows the malware to collect various device details quickly.
How Mandrake Stayed Hidden
Second-Stage Commands
The second stage of Mandrake’s process collects device information like IP addresses and the installed applications. It can also check the battery status and the Google Play version.
Third Stage Commands
The third stage includes capabilities for loading URLs in WebView, initiating remote screen sharing, and recording the device’s screen. This level aims to steal sensitive information and introduce more malware.
Data Decryption Methods
Mandrake employs special decryption techniques to manage its data. By obfuscating its code, it becomes difficult for antivirus systems to read and analyze it, thus remaining concealed.
Sandbox Evasion Techniques
To avoid detection in testing environments, Mandrake uses sandbox evasion methods. This makes it challenging for researchers to analyze the malware’s behavior in controlled settings.
C2 Communication
Mandrake uses sophisticated command-and-control communication. Through secure channels, it receives instructions while staying under the radar of security systems.
Implications and Attribution
Potential Victims
Anyone who has downloaded the affected applications is at risk. With a significant number of installations, the potential for harm is extensive, affecting personal data security across various devices.
Indicators of Compromise
Key signs of potential infection include unusual device behavior, new app installations outside user intent, or sudden permission requests from apps. Users must remain vigilant and inspect their devices regularly.
Protecting Against Malware on Google Play
Staying Cautious When Downloading Apps
Users should always check app ratings and reviews before downloading. Unverified apps can often hide malicious codes.
Using Antivirus Software
Installing a reliable antivirus program can help identify and eliminate threats before they can harm the device.
Reporting Suspicious Apps to Google
If any app seems questionable, users should report it to Google immediately. This action helps to protect others and maintain safer app environments.
Keeping Software Updated
Regularly updating the operating system and applications can patch security vulnerabilities that hackers exploit.
Additional Security Measures for Android Devices
Using features like two-factor authentication and monitoring app permissions can further secure devices against potential infections. Keeping the security settings high and limiting app permissions helps protect user data.
In summary, the resurgence of Mandrake spyware serves as a reminder for mobile users. Awareness and proactive measures are vital for maintaining safety in a digital world filled with threats.
