The Android spyware known as Mandrake has made a significant resurgence with a new variant. This Mandrake spyware has been discovered hidden in five seemingly innocuous applications on Google Play. These apps, which were downloaded a combined total of over 32,000 times, remained undetected by most security vendors for nearly two years.
Mandrake spyware first emerged in 2016, with its sophisticated spying capabilities making headlines in 2020. Bitdefender’s detailed analysis revealed that Mandrake was a potent piece of Android spyware, capable of extensive espionage. The latest reports, however, highlight that Mandrake has evolved, employing more advanced evasion techniques to avoid detection.
Overview of the Mandrake Spyware Campaign
The new Mandrake Android spyware variant, uncovered by Kaspersky, exhibits enhanced obfuscation and evasion methods. These include moving malicious functionalities to obfuscated native libraries and using certificate pinning for command-and-control (C2) communications. This updated version of Mandrake was embedded in five apps submitted to Google Play in 2022 and stayed hidden until early 2024.
The infiltration of Mandrake spyware into Google Play has been traced to five specific applications. Among them is AirFS, a file-sharing app developed by it9042, which saw a significant number of downloads—30,305—between April 28, 2022, and March 15, 2024. Another app, Astro Explorer, was developed by shevabad and recorded 718 downloads from May 30, 2022, to June 6, 2023.
Amber, created by kodaslda, had a more modest reach with 19 downloads between February 27, 2022, and August 19, 2023. Similarly, CryptoPulsing, also developed by shevabad, was downloaded 790 times from November 2, 2022, to June 6, 2023. Lastly, Brain Matrix, another app by kodaslda, accumulated 259 downloads between April 27, 2022, and June 6, 2023.
The spread of these infected apps was notably global, with the majority of infections occurring in countries such as Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
Evolution of Mandrake Spyware
The latest version of Mandrake spyware represents a significant advancement in evasion techniques compared to its predecessors. Unlike earlier iterations that relied on relatively straightforward malware deployment methods, this new variant incorporates several sophisticated tactics.
One of the most notable improvements is its advanced obfuscation methods. The current Mandrake variant employs heavily obfuscated native libraries, such as libopencv_dnn.so and libopencv_java3.so, to conceal its malicious operations. These libraries play a crucial role in managing and decrypting subsequent stages of the malware.
In addition to advanced obfuscation, Mandrake now utilizes certificate pinning to secure its communications with command-and-control (C2) servers. This technique prevents the interception of SSL traffic, making it harder for security analysts to monitor or analyze the data being transmitted. The spyware has also improved its sandbox evasion techniques, which now include checks for debugging tools and emulator environments. These enhancements make it increasingly difficult for analysts to detect and analyze the spyware.
Mandrake operates through a multi-stage infection process. The initial stage, known as the dropper, is embedded within the native libraries and is responsible for decrypting and loading subsequent stages. The second stage, the loader, handles further decryption and prepares the environment for the core component. The core stage contains the primary malicious functionalities of Mandrake, including data theft and surveillance.
Among the various malicious activities that Mandrake can perform are screen recording and automated actions. The spyware is capable of capturing screenshots and recording screens, which are then sent to the C2 servers. It can also automate actions such as swiping and clicking on web pages. Additionally, Mandrake collects sensitive information, including user credentials, device details, and a list of installed applications.
Impact and Response
The infiltration of Mandrake spyware into Google Play highlights a significant issue in-app marketplace security. Despite Google’s efforts to thoroughly vet applications, sophisticated threats like Mandrake have still managed to bypass these defenses. The extended period during which these malicious apps went undetected highlights the pressing need for continual vigilance and enhanced security measures to protect users.
As Mandrake Android spyware advances in its concealment and evasion techniques, it poses a considerable challenge to both users and security professionals. This recent discovery of Mandrake’s improved methods of hiding and operating within official app stores further emphasizes the critical need for robust security practices and ongoing monitoring.
The ability of Mandrake to evade detection and persist within app marketplaces highlights the necessity for more stringent security protocols. To effectively combat such sophisticated threats, it is essential to implement and enforce more rigorous security measures and maintain heightened vigilance in monitoring app stores.
