A newly discovered variant of the Mandrake spyware has been identified on the Google Play Store, evading detection for roughly two years. According to a report by Kaspersky, the malware was found in five Android apps, cumulatively downloaded over 32,000 times. This revelation underscores the importance of carefully monitoring app downloads and permissions.
Apps Infected with Mandrake Malware
The malicious apps were deceptively presented as a Wi-Fi file-sharing app, an astronomy services app, a game named Amber for Genshin, a cryptocurrency app, and a logic puzzles app. Despite being available on the Play Store since 2022, these apps went undetected by any security vendor, as noted by Kaspersky’s findings on VirusTotal. Fortunately, Google has since removed these apps from its platform.
Mandrake Malware Overview
Mandrake is a sophisticated spyware that has been in existence since at least 2016, with the first public identification occurring in 2020. This malware is capable of stealing sensitive information, gaining remote control over infected devices, keylogging, capturing screenshots, and exfiltrating data. The new variant discovered by Kaspersky includes advanced obfuscation techniques, such as shifting malicious functions to obfuscated native libraries using OLLVM, implementing certificate pinning for secure communication, and performing checks to avoid detection on rooted or emulated devices.
Evasion Tactics and Geographic Impact
The malware’s ability to bypass Google Play’s security checks allowed it to remain hidden for an extended period. Most of the downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. The attackers are suspected to be of Russian origin, as the command and control (C2) domains are registered in Russia.
Recommendations
Users are advised to review their installed apps, especially those downloaded from the Play Store, and to stay vigilant about app permissions. It is also recommended to use reputable security software and regularly update devices to protect against such threats.
