- Kaspersky, the Russian cybersecurity company, has found a new version of the Mandrake spyware hiding in 5 Google Play apps.
- All the infected apps have been removed but they have already been downloaded 32,000 times. Most of the downloads came from Spain, Peru, Germany, Canada, and the UK.
- The worst part about this new version is that it’s very hard to detect.
A new version of the popular Android spyware Mandrake has been found in 5 Google Play Store applications, according to a Kaspersky report. These apps include:
- AirFS (com.airft.ftrnsfr)
- Amber (com.shrp.sght)
- Brain Matrix (com.Astro.dscvr)
- Cryptopulsing (com.breath.mtrx)
- Astro Explorer (com.crypto pulsing.browser)
According to the report, the spyware has been hiding in these apps for the last 2 years. Together, these apps have more than 32,000 installations.
Most of these downloads came from Mexico, Spain, Peru, Germany, Canada and the UK. All 5 apps have now been removed from the app store with the most popular one, AirFS, being removed at the end of March 2024.
About the New Version of Mandrake
The new version employed new layers of evasion techniques according to researchers Tatyana Shishkova and Igor Golovin:
- Moving malicious functionality to obfuscated native libraries
- Using certificate pinning for C2 communications, and
- Performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment.
For example, Android 13 has added a “Restricted Settings” feature that prevents sideload apps from requesting dangerous permission. But Mandrake smartly bypasses this hurdle by processing the installation with a session-based package installer.
There are three stages involved:
- The first stage is a dropper that launches a loader that executes the core component of the malware post-download.
- In the second stage, information about the device’s connectivity status, battery percentage, IP address, and the current Google Play version is collected. In this stage, the spyware can also wipe the core module and get permission to draw overlays and run in the background.
- In the last stage, it can load a special URL on the web that will eventually grant the threat actor remote screen-sharing access.
What Does Google Have to Say About This?
Google has been informed about the incident. The tech giant said that it’s constantly amping up its security to prevent such threat actors from reaching its users. For example, it has added a live threat detection technique to handle anti-evasion techniques.
But as Kaspersky mentioned, Mandrake is one of those malware that’s constantly evolving and coming up with new evasion techniques. So tackling it is still a major challenge.
It is believed that the spyware first became active in 2016 but managed to evade detection until 2020 when it was first documented by Romanian cybersecurity vendor Bitdefender. It’s been 4 years and yet Mandrake has managed to escape scot-free every single time.
Our Editorial Process
Our Editorial Process
Share 
Krishi Chowdhary Journalist 
Question & Answers (0)