Security researchers have identified a new version of the Mandrake Android cyber-espionage malware [4], discovered by Kaspersky in April 2024 [4].
Description
This updated variant [2] [4], found in five Google Play applications from 2022 to 2024 [4], accumulated over 32,000 downloads without detection by other cybersecurity vendors [4]. The new Mandrake samples displayed enhanced obfuscation and evasion tactics [4], including moving malicious functions to obfuscated native libraries like ‘libopencv dnn’ and using certificate pinning for secure communications with command-and-control servers [4]. The malware remained undetected on Google Play for up to two years [4], with the most downloaded app [4] [6], AirFS [4], amassing over 30,000 installations before its removal in March 2024 [4]. The new Mandrake version operates through a multi-stage infection chain [4], with malicious activity hidden within a native library to evade analysis [4]. Mandrake’s encryption and decryption methods utilize a mix of custom algorithms and standard AES encryption [4], making it challenging for cybersecurity experts to detect and analyze the malware [4]. Kaspersky warned that the threat actors behind Mandrake continue to evolve their methods of concealment and evasion [4], posing a significant challenge to cybersecurity defenses [4]. The spyware operates in stages [7], with the main goals of stealing user credentials and executing next-stage malicious applications [7]. The infection process happens in stages [3], with the “dropper” app appearing harmless at first before downloading more parts containing the complete dangerous payload [3]. Google has removed the malicious apps from the Play Store [3], but users who may have installed them should delete them immediately and run a security scan on their devices [3]. The newest Mandrake app was last updated in March 2024 and removed from Google Play later that month [5], with none of the apps being detected as malware by any vendor as of July 2024 [5]. To protect against threats like Mandrake spyware [2], Kaspersky experts recommend using official marketplaces [2], reliable security software [2], staying informed about common scams [2], and being cautious with third-party software from known sources [2]. The threat actor behind this campaign is believed to be the same as in a previous report by Bitdefender [2] [6], with C2 domains registered in Russia [2] [6]. The latest Mandrake campaign went undetected on Google Play for two years [2] [6], showcasing the advanced skills of threat actors and the increasing sophistication of threats infiltrating official app stores [2] [6]. The malicious apps were available in multiple countries, with most downloads in Canada [1] [2] [6], Germany [1] [2] [3] [6] [7], Italy [1] [2] [6] [7], Mexico [1] [2] [6] [7], Spain [1] [2] [6] [7], Peru [1] [2] [6] [7], and the UK [1] [2] [6] [7].
Conclusion
The new Mandrake Android cyber-espionage malware poses a significant threat to cybersecurity, with advanced obfuscation and evasion tactics making detection and analysis challenging. Users are advised to delete any potentially infected apps and run security scans on their devices. The evolving methods of threat actors highlight the need for constant vigilance and updated security measures to protect against sophisticated malware campaigns like Mandrake.
References
[1] https://cyber.vumetric.com/security-news/2024/07/29/android-spyware-mandrake-hidden-in-apps-on-google-play-since-2022/
[2] https://www.kaspersky.it/about/press-releases/2024kaspersky-scopre-una-nuova-campagna-dello-spyware-mandrake-con-oltre-32000-installazioni-su-google-play
[3] https://cybersecuritynews.com/malicious-mandrake-apps-google-play/
[4] https://www.infosecurity-magazine.com/news/mandrake-spyware-infects-32000/
[5] https://www.forbes.com/sites/zakdoffman/2024/07/29/new-google-play-store-update-for-samsung-pixel-android-in-5-weeks/
[6] https://www.adnkronos.com/immediapress/kaspersky-scopre-una-nuova-campagna-dello-spyware-mandrake-con-oltre-32000-installazioni-su-google-playsPWHJhpMcWuaX6sev5J5j
[7] https://securityonline.info/mandrake-android-spyware-resurfaces-on-google-play-evading-detection-for-two-years/
