Summarize

Simplifying... Inshort

Beware Android users! Five apps on Google Play, including the popular AirFS, were found to be carriers of the 'Mandrake' spyware, which can perform malicious activities like data collection and screen recording.
Despite their removal, the threat persists, so remember to only download apps from trusted sources, check user comments, and keep Google Play Protect active to stay safe.

Was a long read? Making it simpler...

Next Article

New variant of Android spyware discovered is more sophisticated

Delete THESE apps now! Android spyware 'Mandrake' infiltrates Play Store

By Mudit Dube

Jul 30, 2024

03:38 pm

What's the story

A new variant of the Android spyware 'Mandrake' has been discovered in five applications on Google Play. These infected apps have been downloaded 32,000 times since 2022. The original version of Mandrake was first identified by Bitdefender in 2020, and was found to be operational since at least 2016. The new variant is more sophisticated with improved evasion and obfuscation techniques.

Infiltration

Mandrake spyware spread through five apps since 2022

The new Mandrake variant was introduced to Google Play through five apps that were submitted to the store in 2022. These apps remained active for over a year, with the last one, AirFS, being removed at the end of March 2024. The apps identified by Kaspersky as carriers of Mandrake are AirFS, Astro Explorer, Amber, CryptoPulsing, and Brain Matrix. Among them, AirFS was the most downloaded with over 30,000 downloads between April 28, 2022, and March 15, 2024.

Geographic spread

Majority of infected app downloads originated from seven countries

The majority of these downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. Unlike typical Android malware that places malicious logic in the app's DEX file, Mandrake conceals its initial stage in a native library named 'libopencv_dnn.so,' which is heavily obfuscated. Upon installation of the malicious app, this library exports functions to decrypt a second-stage loader DEX from its assets folder and load it into memory.

Malicious capabilities

Mandrake spyware can perform a range of malicious activities

Once activated, the Mandrake spyware can perform a range of malicious activities. These include data collection, screen recording and monitoring, command execution, simulation of user swipes and taps, file management, and app installation. The malware can also prompt users to install further malicious APKs by displaying notifications that mimic Google Play.

Prevention measures

Mandrake spyware threat: How Android users can stay protected

Despite the removal of the identified apps from Google Play, the threat of Mandrake persists. To stay protected, Android users are advised to only install apps from reputable publishers, check user comments before installing, avoid granting requests for risky permissions unrelated to an app's function, and ensure that Google Play Protect is always active. These measures can reduce the risk of falling victim to such sophisticated spyware.