‘Mandrake’ Malware hidden in Google Play Apps, Infects 32,000 Devices

Why Trust Techopedia
Key Takeaways

  • Mandrake was first detected in 2020, after four years of activity without capture.
  • A sophisticated, updated version of the spyware was in operation for two years before the fifth impacted app was shut down earlier this year.
  • Kaspersky identified the most recent threat but has warned Mandrake could return in a more elaborate guise.

Researchers have identified a new version of ‘Mandrake’, an elaborate Android malware tool.

The spyware was initially discovered by Bitdefender back in May 2020 after four years of roaming around online undetected. Kaspersky has now indicated a new variant of the malware with enhanced spying capabilities has been hidden within five apps on Google Play from 2022 until earlier this year.

Crucially, the apps in question have been downloaded 32,000 times while Mandrake was operating under the radar. Those carrying the spyware were: AirFS, Amber, Astro Explorer, Brain Matrix, and CryptoPulsing.

AirFS was the most popular for downloads, infections, and longevity with 30,305 connections between April 28, 2022 and March 15, 2024. It was the last app of the five to be addressed and removed with users most impacted in Canada, Germany, Italy, Mexico, Spain, Peru, and the United Kingdom.

Upon closer inspection, the most recent Mandrake samples were found to contain enhanced evasion tactics. Amended functions included storing malicious commands in obfuscated native libraries, using certificate pinning for secure communications with command-and-control (C2) servers, and manipulating various tests to avoid detection on rooted or emulated devices.

Mandrake Spyware is Evolving Dynamically

The Mandrake spyware takes the native library route, unlike conventional Android malware which drops the malicious content in the app’s DEX file. When the compromised app is installed, the library exports the functions to decrypt the next stage loader DEX and loads it into the memory.

Once the process is completed with the core components activated, Mandrake can be deployed to carry out an array of illicit tasks, such as data collection, screen recording, and monitoring. User swipe and tap, app installations, and command execution can also be performed.

The threat of Mandrake remains present, with a need for further vigilance. Although the five apps impacted have been detected by Kaspersky and removed from Google Play, they could emerge again hidden in apps that are more difficult to detect.

The Russian-owned multinational cybersecurity firm, which has mothballed its US operations due to ongoing geopolitical tensions, has warned “Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion and bypassing new defense mechanisms”.