New Mandrake Spyware Found in Google Play Store Apps After Two Years
An advanced Android spyware has been discovered within five apps on the Google Play Store, where it remained undetected for two years. The apps, which received over 32,000 installations, have been removed from the store. Obfuscation and sandbox evasion are some of the advanced evasion mechanisms that made it go undetected.
History and Evolution of Mandrake
First spotted in May 2020, Mandrake has, in fact been in circulation since 2016. Newer variants utilize OLLVM to obfuscate core functionality and include anti-analysis capabilities. The malware has yet not been attributed to an actor or group.
The list of apps containing Mandrake -
- AirFS (com.airft.ftrnsfr)
- Amber (com.shrp.sght)
- Astro Explorer (com.astro.dscvr)
- Brain Matrix (com.brnmth.mtrx)
- CryptoPulsing (com.cryptopulsing.browser
The Mandrake-containing apps are delivered in three stages:
1. A dropper that activates a loader
2. A second-stage payload gathering device information and soliciting permissions
3. A third-stage that supports additional commands, including remote screen sharing and recording
Evasion Techniques and Bypassing Defenses
Mandrake uses the following techniques for evasion: obfuscation, sandbox evasion, certificate pinning, and anti-analysis techniques.
Google Response
Google has improved Google Play Protect defenses in order to detect and block Mandrake. Android users are already protected against known versions of this malware.
- Other (42)
- Ransomware (128)
- Events and News (26)
- Features (45)
- Security (433)
- Tips (79)
- Google (22)
- Achievements (9)
- Products (33)
- Activation (7)
- Dealers (1)
- Bank Phishing (42)
- Malware Alerts (195)
- Cyber Attack (221)
- Data Backup (11)
- Data Breach (80)
- Phishing (139)
- Securty Tips (1)
- Browser Hijack (16)
- Adware (15)
- Email And Password (67)
- Android Security (56)
- Knoweldgebase (38)
- Botnet (15)
- Updates (3)
- Alert (71)
- Hacking (57)
- Social Media (7)
- vulnerability (54)
- Hacker (31)
- Spyware (8)
- Windows (6)
- Microsoft (21)
- Uber (1)
- YouTube (1)
- Trojan (2)
- Website hacks (3)
- Paytm (1)
- Credit card scam (1)
- Telegram (3)
- RAT (5)
- Bug (3)
- Twitter (2)
- Facebook (7)
- Banking Trojan (5)
- Mozilla (2)
- COVID-19 (5)
- Instagram (2)
- NPAV Announcement (5)
- IoT Security (1)
- Deals and Offers (1)
- Cloud Security (8)
- Offers (5)
- Gaming (1)
- FireFox (2)
- LinkedIn (2)
- WhatsApp (4)
- Amazon (1)
- DMart (1)
- Payment Risk (4)
- Occasion (2)
- firewall (1)
- Cloud malware (2)
- Cloud storage (2)
- Financial fraud (7)
- Impersonation phishing (1)
- DDoS (4)
- Smishing (2)
- Whale (0)
- Whale phishing (3)
- WINRAR (2)
- ZIP (2)