ShiftDelete.Net Global

Mysterious malware hid in Google Play for years!

Ana sayfa / News

Mandrake malware, which lurked unnoticed on Google Play for a long time, has resurfaced. First detected by Bitdefender in 2020, the malware has spent years spying on users and stealing sensitive information through various apps.

The Mandrake malware used unique methods to remain undetected on Android devices for years. First appearing in two waves between 2016-2017 and 2018-2020, Mandrake avoided detection by being inactive in 90 countries, sending custom payloads to targeted victims, and a “seppuku” key that completely erased itself. It also managed to mislead users with fully functional fake apps and a system that quickly fixes bugs.

:

Package NameApp NameMD5DeveloperReleasedLast Updated on Google PlayDownloads
com.airft.ftrnsfrAirFS33fdfbb1acdc226eb177eb42f3d22db4it9042Apr 28, 2022Mar 15, 202430,305
com.astro.dscvrAstro Explorer31ae39a7abeea3901a681f847199ed88shevabadMay 30, 2022Jun 06, 2023718
com.shrp.sghtAmberb4acfaeada60f41f6925628c824bb35ekodasldaFeb 27, 2022Aug 19, 202319
com.cryptopulsing.browserCryptoPulsinge165cda25ef49c02ed94ab524fafa938shevabadNov 02, 2022Jun 06, 2023790
com.brnmth.mtrxBrain MatrixkodasldaApr 27, 2022Jun 06, 2023259

According to Bitdefender’s 2020 report, victims of this malware numbered in the tens of thousands, or even hundreds of thousands over a four-year period. In 2022, Kaspersky reported that Mandrake was again lurking on Google Play and targeting users with even more sophisticated methods.

The new generation of Mandrake uses a number of advanced techniques to disguise its malicious behavior. These include multi-layered obfuscation and malicious functions ported to native libraries, making it harder for researchers to detect the malware. Mandrake moves its malicious code into the native library, libopencv_dnn.so, making it harder to analyze and detect.

Next-generation Mandrake uses methods such as screen recording to steal users’ credentials and download malicious apps at later stages. Screen recordings are initiated by commands from the control server and secretly record users’ inputted information.

Google Play Store brings innovations that will make your subscriptions feel more valuable!

Play Store brings new features that will make your subscriptions feel more valuable. Changes are coming soon!

Kaspersky researchers Tatyana Shishkova and Igor Golovin noted that Mandrake is dynamically evolving and constantly improving its methods. These improvements make the malware harder for researchers to detect and allow it to bypass Google Play’s moderation processes.

The apps identified by Kaspersky that contained Mandrake have already been removed from Google Play. However, this does not mean that the malware will not reappear in different ways in the future. Therefore, it is worth being careful.

Yorum Ekleyin