Delete THESE apps now! Android spyware 'Mandrake' infiltrates Play Store
What's the story
A new variant of the Android spyware 'Mandrake' has been discovered in five applications on Google Play. These infected apps have been downloaded 32,000 times since 2022. The original version of Mandrake was first identified by Bitdefender in 2020, and was found to be operational since at least 2016. The new variant is more sophisticated with improved evasion and obfuscation techniques.
Infiltration
Mandrake spyware spread through five apps since 2022
The new Mandrake variant was introduced to Google Play through five apps that were submitted to the store in 2022. These apps remained active for over a year, with the last one, AirFS, being removed at the end of March 2024. The apps identified by Kaspersky as carriers of Mandrake are AirFS, Astro Explorer, Amber, CryptoPulsing, and Brain Matrix. Among them, AirFS was the most downloaded with over 30,000 downloads between April 28, 2022, and March 15, 2024.
Geographic spread
Majority of infected app downloads originated from seven countries
The majority of these downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. Unlike typical Android malware that places malicious logic in the app's DEX file, Mandrake conceals its initial stage in a native library named 'libopencv_dnn.so,' which is heavily obfuscated. Upon installation of the malicious app, this library exports functions to decrypt a second-stage loader DEX from its assets folder and load it into memory.
Malicious capabilities
Mandrake spyware can perform a range of malicious activities
Once activated, the Mandrake spyware can perform a range of malicious activities. These include data collection, screen recording and monitoring, command execution, simulation of user swipes and taps, file management, and app installation. The malware can also prompt users to install further malicious APKs by displaying notifications that mimic Google Play.
Prevention measures
Mandrake spyware threat: How Android users can stay protected
Despite the removal of the identified apps from Google Play, the threat of Mandrake persists. To stay protected, Android users are advised to only install apps from reputable publishers, check user comments before installing, avoid granting requests for risky permissions unrelated to an app's function, and ensure that Google Play Protect is always active. These measures can reduce the risk of falling victim to such sophisticated spyware.