Introduction
A new iteration of the sophisticated Android spyware known as Mandrake has recently been uncovered in five applications that were available on the Google Play Store. This spyware managed to remain undetected for nearly two years, causing significant concern in the cybersecurity community. According to a report by Kaspersky, these apps accumulated over 32,000 downloads before they were finally removed from the Play Store.
Geographic Spread and Impact
The spyware-laden applications had a wide geographic reach, with most downloads originating from countries including Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K. The stealthy nature of the Mandrake spyware allowed it to evade detection and infiltrate devices across these regions.
Technical Advancements in the Latest Mandrake Variant
The updated version of Mandrake incorporates new layers of obfuscation and evasion techniques, making it more difficult to detect. These techniques include the use of obfuscated native libraries, certificate pinning for command-and-control (C2) communications, and a series of checks to determine if the spyware is running on a rooted device or within an emulated environment.
Historical Context of Mandrake
Mandrake was first documented by the Romanian cybersecurity firm Bitdefender in May 2020. It was noted for its careful and deliberate approach to infecting a limited number of devices while remaining hidden since as far back as 2016. Despite its long existence, Mandrake has not yet been definitively linked to any specific threat actor or group.
New Features of the Updated Mandrake Variant
The latest versions of Mandrake are distinguished by their use of OLLVM (Obfuscation LLVM) to hide the malware's primary functionality. Additionally, these versions employ a range of sandbox evasion and anti-analysis techniques designed to prevent the malware from being executed in environments used by malware analysts.
Infected Applications
The following applications were found to contain the Mandrake spyware:
- AirFS (com.airft.ftrnsfr)
- Amber (com.shrp.sght)
- Astro Explorer (com.astro.dscvr)
- Brain Matrix (com.brnmth.mtrx)
- CryptoPulsing (com.cryptopulsing.browser)
These apps execute their malicious activities in three stages:
Dropper Stage: This initial stage launches a loader that is responsible for executing the core component of the malware after downloading and decrypting it from a C2 server.
Second-Stage Payload: This stage gathers information about the device, including connectivity status, installed applications, battery level, external IP address, and the current Google Play version. Additionally, it can wipe the core module and request permissions to draw overlays and run in the background.
Third-Stage Payload: This stage supports additional commands such as loading a specific URL in a WebView, initiating a remote screen-sharing session, and recording the device screen with the intent of stealing the victim's credentials and deploying more malware.
Bypassing Android 13 Security Features
To circumvent the security features introduced in Android 13, particularly the 'Restricted Settings' feature that blocks sideloaded applications from requesting dangerous permissions, Mandrake uses a 'session-based' package installer to complete its installation.
Ongoing Threat and Google's Response
Kaspersky has highlighted Mandrake as a dynamically evolving threat that continues to refine its techniques to bypass security measures and avoid detection. The persistence and sophistication of this malware underline the skill of the threat actors behind it and the need for stricter controls on applications before they are published in official marketplaces.
In response to the discovery, Google has stated that it is continually enhancing Google Play Protect defenses to address new threats as they emerge. Google Play Protect, which is enabled by default on Android devices with Google Play Services, is designed to automatically protect users from known versions of this malware. It can also warn users or block apps that display malicious behavior, even if they are downloaded from sources outside the Play Store.
Conclusion
The discovery of the Mandrake spyware in Google Play Store apps serves as a stark reminder of the ongoing and evolving threats in the mobile ecosystem. Despite efforts by Google and other security entities, sophisticated malware like Mandrake continues to find ways to infiltrate official app marketplaces. This incident underscores the importance of vigilance, both from app store operators and users, in maintaining mobile security. The continuous evolution of threats like Mandrake necessitates ongoing advancements in detection and defense mechanisms to protect users from increasingly complex and elusive cyber threats.
0 Comments