• Cyber Syrup
  • Posts
  • New Android SpyWare Mandrake Found In Apps On The Google Play Store

New Android SpyWare Mandrake Found In Apps On The Google Play Store

A new iteration of the sophisticated Android spyware known as Mandrake has been discovered in five applications available on the Google Play Store

July 31, 2024

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

New Android SpyWare Mandrake Found In Apps On The Google Play Store

A new iteration of the sophisticated Android spyware known as Mandrake has been discovered in five applications available on the Google Play Store. These apps remained undetected for two years, accumulating over 32,000 installations. The spyware was primarily downloaded in Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K. This revelation highlights the persistent threat posed by advanced malware and the importance of robust security measures.

What is Mandrake?

Background

Mandrake is a highly sophisticated spyware that has been operating stealthily since 2016. Initially documented by Bitdefender in 2020, Mandrake is known for its deliberate and targeted approach to infecting devices. The latest variants incorporate new layers of obfuscation and evasion techniques, making detection even more challenging.

Operation and Techniques

Mandrake employs a multi-stage infection process:

  1. Dropper Stage: The dropper launches a loader that executes the core component of the malware after downloading and decrypting it from a command-and-control (C2) server.

  2. Loader Stage: This stage collects device information, such as connectivity status, installed applications, battery percentage, external IP address, and Google Play version. It can also wipe the core module and request permissions to draw overlays and run in the background.

  3. Core Stage: The core component can load specific URLs in a WebView, initiate remote screen sharing sessions, record the device screen, steal credentials, and drop additional malware.

Evasion Techniques

Mandrake uses advanced techniques to avoid detection:

  • Obfuscated Native Libraries: Malicious functionality is hidden within obfuscated native libraries.

  • Certificate Pinning: Used for secure communications with C2 servers.

  • Sandbox Evasion: Techniques to prevent execution in emulated environments or devices operated by malware analysts.

  • OLLLVM: A tool used to conceal the main functionality of the spyware.

Who Is at Risk?

General Android Users

Any Android user who downloaded one of the affected applications is at risk. The five applications identified are:

  • AirFS (com.airft.ftrnsfr)

  • Amber (com.shrp.sght)

  • Astro Explorer (com.astro.dscvr)

  • Brain Matrix (com.brnmth.mtrx)

  • CryptoPulsing (com.cryptopulsing.browser)

High-Value Targets

Individuals with high-value data or those working in sensitive sectors such as government, healthcare, or finance are particularly at risk due to the potential for significant data breaches and financial losses.

Global Users

Given the geographical distribution of downloads, users from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K. are especially vulnerable.

How to Protect Yourself

Strengthening Security Measures

  1. Regular Software Updates: Ensure your operating system and applications are always up-to-date to protect against known vulnerabilities.

  2. Use Strong Passwords and MFA: Implement strong, unique passwords and enable multi-factor authentication (MFA) for all your accounts.

Verifying Application Sources

  1. Check Developer Information: Verify the developer information and read reviews before downloading any application from the Play Store.

  2. Be Cautious with Permissions: Review and limit the permissions granted to apps, especially those requesting access to sensitive data.

Continuous Security Monitoring

  1. Install Security Software: Use reputable antivirus and anti-malware software to detect and block malicious activities.

  2. Monitor Account Activity: Regularly check your account activity for any unauthorized access or unusual behavior.

Education and Awareness

  1. Stay Informed: Keep up-to-date with the latest cybersecurity threats and best practices.

  2. Employee Training: If you manage a team, ensure they are educated about the risks and signs of malware.

Incident Response

  1. Have a Plan: Develop an incident response plan to address potential security breaches quickly.

  2. Backup Data: Regularly back up your data to ensure you can recover in case of a malware attack.

Google's Response

Google has taken steps to enhance its security measures on the Play Store. The company is continuously improving Google Play Protect defenses to detect and block malicious apps, even those employing advanced obfuscation and anti-evasion techniques. Android users are automatically protected against known versions of Mandrake by Google Play Protect, which is enabled by default on devices with Google Play Services.

Conclusion

The discovery of the sophisticated Mandrake spyware underscores the importance of vigilance and robust security practices. By understanding the risks associated with malware and taking proactive steps to protect your devices and data, you can mitigate the impact of these threats. Regular updates, cautious downloading practices, and continuous monitoring are essential in safeguarding your digital environment from advanced cyber threats.