Mandrake malware, which lurked unnoticed on Google Play for a long time, has resurfaced. First detected by Bitdefender in 2020, the malware has spent years spying on users and stealing sensitive information through various apps.
How did Mandrake malware hide in Google Play?
The Mandrake malware used unique methods to remain undetected on Android devices for years. First appearing in two waves between 2016-2017 and 2018-2020, Mandrake avoided detection by being inactive in 90 countries, sending custom payloads to targeted victims, and a “seppuku” key that completely erased itself. It also managed to mislead users with fully functional fake apps and a system that quickly fixes bugs.
:
| Package Name | App Name | MD5 | Developer | Released | Last Updated on Google Play | Downloads |
|---|---|---|---|---|---|---|
| com.airft.ftrnsfr | AirFS | 33fdfbb1acdc226eb177eb42f3d22db4 | it9042 | Apr 28, 2022 | Mar 15, 2024 | 30,305 |
| com.astro.dscvr | Astro Explorer | 31ae39a7abeea3901a681f847199ed88 | shevabad | May 30, 2022 | Jun 06, 2023 | 718 |
| com.shrp.sght | Amber | b4acfaeada60f41f6925628c824bb35e | kodaslda | Feb 27, 2022 | Aug 19, 2023 | 19 |
| com.cryptopulsing.browser | CryptoPulsing | e165cda25ef49c02ed94ab524fafa938 | shevabad | Nov 02, 2022 | Jun 06, 2023 | 790 |
| com.brnmth.mtrx | Brain Matrix | – | kodaslda | Apr 27, 2022 | Jun 06, 2023 | 259 |
According to Bitdefender’s 2020 report, victims of this malware numbered in the tens of thousands, or even hundreds of thousands over a four-year period. In 2022, Kaspersky reported that Mandrake was again lurking on Google Play and targeting users with even more sophisticated methods.
The new generation of Mandrake uses a number of advanced techniques to disguise its malicious behavior. These include multi-layered obfuscation and malicious functions ported to native libraries, making it harder for researchers to detect the malware. Mandrake moves its malicious code into the native library, libopencv_dnn.so, making it harder to analyze and detect.
Next-generation Mandrake uses methods such as screen recording to steal users’ credentials and download malicious apps at later stages. Screen recordings are initiated by commands from the control server and secretly record users’ inputted information.
Kaspersky researchers Tatyana Shishkova and Igor Golovin noted that Mandrake is dynamically evolving and constantly improving its methods. These improvements make the malware harder for researchers to detect and allow it to bypass Google Play’s moderation processes.
The apps identified by Kaspersky that contained Mandrake have already been removed from Google Play. However, this does not mean that the malware will not reappear in different ways in the future. Therefore, it is worth being careful.
{{user}} {{datetime}}
{{text}}