Most of the downloads came from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K., highlighting the spyware’s global reach
A new version of the Android spyware known as Mandrake has been discovered in five applications that were available for download from the Google Play Store, remaining undetected for two years. Over 32,000 users downloaded these apps before they were removed, according to a recent report by cybersecurity firm Kaspersky.
Most of the downloads came from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K., highlighting the spyware’s global reach. In a detailed analysis, researchers Tatyana Shishkova and Igor Golovin explained the sophisticated tactics used by Mandrake to infiltrate devices. They noted that “the new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment.”
Mandrake first came to light in May 2020 when Romanian cybersecurity vendor Bitdefender described its calculated method of targeting only a small number of devices while remaining hidden since 2016. The latest variants of Mandrake are characterized by the use of OLLVM (Obfuscation through LLVM) to conceal the core functionalities. They also employ an array of sandbox evasion and anti-analysis techniques to prevent malware analysts from executing the code in controlled environments.
Here is the list of apps that contained Mandrake:
AirFS (com.airft.ftrnsfr)
Amber (com.shrp.sght)
Astro Explorer (com.astro.dscvr)
Brain Matrix (com.brnmth.mtrx)
CryptoPulsing (com.cryptopulsing.browser)
How Mandrake Operates
Mandrake employs a three-stage process to infect devices:
Stage One – Dropper: The app initially launches a dropper that activates a loader responsible for downloading and decrypting the main component of the malware from a command-and-control (C2) server.
Stage Two – Loader: This stage collects detailed information about the device, including connectivity status, installed applications, battery percentage, external IP address, and current Google Play version. It can also erase the core module and request permissions to draw overlays and run in the background.
Stage Three – Core Module: This stage supports additional commands to open specific URLs in a WebView, initiate remote screen sharing sessions, and record the device’s screen. The goal is to steal users’ credentials and install more malware on the device.
“Android 13 introduced the ‘Restricted Settings’ feature, which prohibits sideloaded applications from directly requesting dangerous permissions,” the researchers explained. “To bypass this feature, Mandrake processes the installation with a ‘session-based’ package installer.”
Kaspersky describes Mandrake as a constantly evolving threat that refines its techniques to bypass defense mechanisms and avoid detection. This situation underscores the expertise of threat actors and highlights the challenge of keeping malicious apps out of official app marketplaces.
“This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces,” Kaspersky said.
In response to the discovery, Google stated that it is continually strengthening Google Play Protect defenses as new malicious apps are identified. The company is enhancing its capabilities to include live threat detection aimed at tackling obfuscation and anti-evasion techniques.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services,” a Google spokesperson said. “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
The discovery of Mandrake in legitimate apps on the Google Play Store is a stark reminder of the challenges faced by security experts and users alike in safeguarding personal data. As cyber threats continue to evolve, so too must the tools and techniques used to combat them. Both app developers and users must remain vigilant, ensuring that only trusted apps are installed and that device security settings are kept up to date.
