New Mandrake Spyware Found in Google Play Store Apps After Two Years

An advanced Android spyware has been discovered within five apps on the Google Play Store, where it remained undetected for two years. The apps, which received over 32,000 installations, have been removed from the store. Obfuscation and sandbox evasion are some of the advanced evasion mechanisms that made it go undetected.

History and Evolution of Mandrake

First spotted in May 2020, Mandrake has, in fact been in circulation since 2016. Newer variants utilize OLLVM to obfuscate core functionality and include anti-analysis capabilities. The malware has yet not been attributed to an actor or group.

The list of apps containing Mandrake -

AirFS (com.airft.ftrnsfr)
Amber (com.shrp.sght)
Astro Explorer (com.astro.dscvr)
Brain Matrix (com.brnmth.mtrx)
CryptoPulsing (com.cryptopulsing.browser

The Mandrake-containing apps are delivered in three stages:

1. A dropper that activates a loader
2. A second-stage payload gathering device information and soliciting permissions
3. A third-stage that supports additional commands, including remote screen sharing and recording

Evasion Techniques and Bypassing Defenses

Mandrake uses the following techniques for evasion: obfuscation, sandbox evasion, certificate pinning, and anti-analysis techniques.

Google Response

Google has improved Google Play Protect defenses in order to detect and block Mandrake. Android users are already protected against known versions of this malware.

Sharing is caring!
Share

Tweet LinkedIn