[Cyware] Mandrake Spyware Infects 32,000 Devices Via Google Play Apps

Summary: Security researchers have identified a new version of Mandrake, a sophisticated Android cyber-espionage malware that evaded detection for years while hidden in Google Play applications. The updated malware features advanced obfuscation techniques and a multi-stage infection chain, making it increasingly difficult for cybersecurity experts to detect.

Threat Actor: Mandrake Group | Mandrake
Victim: Android Users | Android Users

Key Point :

  • Mandrake’s new variant was found in five Google Play applications, accumulating over 32,000 downloads before detection.
  • The malware employs enhanced evasion tactics, including obfuscation and certificate pinning for secure communications.
  • Its multi-stage infection chain complicates analysis, as malicious activities are hidden within native libraries.
  • The threat actors utilize a mix of custom algorithms and standard AES encryption for data handling.
  • Stricter app controls have not deterred the emergence of more sophisticated threats in official marketplaces.

Security researchers have shed light on a new iteration of Mandrake, a sophisticated Android cyber-espionage malware tool. Initially analyzed by Bitdefender in May 2020, Mandrake had operated undetected for at least four years. 

In April 2024, Kaspersky researchers discovered suspicious samples that were confirmed to be a new version of Mandrake. This latest variant was concealed within five applications on Google Play from 2022 to 2024, amassing over 32,000 downloads while remaining undetected by other cybersecurity vendors.

The updated Mandrake samples, described in an advisory published by Kaspersky today, displayed enhanced obfuscation and evasion tactics. Key changes included moving malicious functions to obfuscated native libraries, using certificate pinning for secure communications with command-and-control (C2) servers, and implementing various tests to avoid detection on rooted or emulated devices. 

These applications reportedly remained on Google Play for up to two years, with the most downloaded app, AirFS, accumulating over 30,000 installations before its removal in March 2024.

Sophisticated Infection Chain

From a technical standpoint, the new Mandrake version operates through a multi-stage infection chain. Initially, malicious activity is hidden within a native library, making it harder to analyze compared to previous campaigns where the first stage was in the DEX file. 

Upon execution, the first-stage library decrypts and loads the second stage, which then initiates communication with the C2 server. If deemed relevant, the C2 server commands the device to download and execute the core malware, which is designed to steal user credentials and deploy additional malicious applications.

Mandrake’s evasion techniques have become more sophisticated, Kaspersky warned, incorporating checks for emulation environments, rooted devices and the presence of analyst tools. These enhancements make it challenging for cybersecurity experts to detect and analyze the malware. 

Notably, the threat actors behind Mandrake also employed a novel approach to data encryption and decryption, utilizing a mix of custom algorithms and standard AES encryption.

Read more on encryption: End-to-End Encryption Sparks Concerns Among EU Law Enforcement

“The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion and bypassing new defense mechanisms. After the applications of the first campaign stayed undetected for four years, the current campaign lurked in the shadows for two years while still available for download on Google Play,” Kaspersky explained.

“This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces.”

Image credit: rafapress / Shutterstock.com

Source: https://www.infosecurity-magazine.com/news/mandrake-spyware-infects-32000