Page Loader
Summarize
Delete THESE apps now! Android spyware 'Mandrake' infiltrates Play Store
New variant of Android spyware discovered is more sophisticated

Delete THESE apps now! Android spyware 'Mandrake' infiltrates Play Store

Jul 30, 2024
03:38 pm

What's the story

A new variant of the Android spyware 'Mandrake' has been discovered in five applications on Google Play. These infected apps have been downloaded 32,000 times since 2022. The original version of Mandrake was first identified by Bitdefender in 2020, and was found to be operational since at least 2016. The new variant is more sophisticated with improved evasion and obfuscation techniques.

Infiltration

Mandrake spyware spread through five apps since 2022

The new Mandrake variant was introduced to Google Play through five apps that were submitted to the store in 2022. These apps remained active for over a year, with the last one, AirFS, being removed at the end of March 2024. The apps identified by Kaspersky as carriers of Mandrake are AirFS, Astro Explorer, Amber, CryptoPulsing, and Brain Matrix. Among them, AirFS was the most downloaded with over 30,000 downloads between April 28, 2022, and March 15, 2024.

Geographic spread

Majority of infected app downloads originated from seven countries

The majority of these downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. Unlike typical Android malware that places malicious logic in the app's DEX file, Mandrake conceals its initial stage in a native library named 'libopencv_dnn.so,' which is heavily obfuscated. Upon installation of the malicious app, this library exports functions to decrypt a second-stage loader DEX from its assets folder and load it into memory.

Malicious capabilities

Mandrake spyware can perform a range of malicious activities

Once activated, the Mandrake spyware can perform a range of malicious activities. These include data collection, screen recording and monitoring, command execution, simulation of user swipes and taps, file management, and app installation. The malware can also prompt users to install further malicious APKs by displaying notifications that mimic Google Play.

Prevention measures

Mandrake spyware threat: How Android users can stay protected

Despite the removal of the identified apps from Google Play, the threat of Mandrake persists. To stay protected, Android users are advised to only install apps from reputable publishers, check user comments before installing, avoid granting requests for risky permissions unrelated to an app's function, and ensure that Google Play Protect is always active. These measures can reduce the risk of falling victim to such sophisticated spyware.