Android spyware and adware ‘Mandrake’ hidden in apps on Google Play since 2022

A brand new model of the Android spyware and adware ‘Mandrake’ has been present in 5 functions downloaded 32,000 instances from Google Play, the platform’s official app retailer.

Bitdefender first documented Mandrake in 2020, with the researchers highlighting the malware’s subtle spying capabilities and noting that it has operated within the wild since at the least 2016.

Kaspersky now experiences {that a} new variant of Mandrake that options higher obfuscation and evasion sneaked into Google Play by 5 apps submitted to the shop in 2022.

These apps remained accessible for at the least a yr, whereas the final one, AirFS, which was essentially the most profitable by way of recognition and infections, was eliminated on the finish of March 2024.

Kaspersky recognized the 5 Mandrake-carrying apps as follows:

• AirFS – File sharing by way of Wi-Fi by it9042 (30,305 downloads between April 28, 2022, and March 15, 2024)
• Astro Explorer by shevabad (718 downloads from Might 30, 2022 to to June 6, 2023)
• Amber by kodaslda (19 downloads between February 27, 2022, and August 19, 2023)
• CryptoPulsing by shevabad (790 downloads from November 2, 2022, to June 6, 2023)
• Mind Matrix by kodaslda (259 downloads between April 27, 2022 and June 6, 2023)

The cybersecurity agency says most downloads come from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.

Evading detection

Not like typical Android malware, which locations malicious logic within the app’s DEX file, Mandrake hides its preliminary stage in a local library, ‘libopencv_dnn.so,’ which is closely obfuscating utilizing OLLVM.

Upon the malicious app’s set up, the library exports features to decrypt the second-stage loader DEX from its property folder and cargo it into reminiscence.

The second stage requests permissions to attract overlays and hundreds a second native library, ‘libopencv_java3.so,’ which decrypts a certificates for safe communications with the command and management (C2) server.

Having established communication with the C2, the app sends a tool profile and receives the core Mandrake element (third stage) if deemed appropriate.

As soon as the core element is activated, Mandrake spyware and adware can carry out a variety of malicious actions, together with information assortment, display recording and monitoring, command execution, simulation of consumer swipes and faucets, file administration, and app set up.

Notably, the risk actors can immediate customers to put in additional malicious APKs by displaying notifications that mimic Google Play, hoping to trick customers into putting in unsafe recordsdata by a seemingly trusty course of.

Kaspersky says the malware additionally makes use of the session-based set up methodology to bypass Android 13’s (and later) restrictions on the set up of APKs from unofficial sources.

Like different Android malware, Mandrake can ask the consumer to grant permission to run within the background and conceal the dropper app’s icon on the sufferer’s system, working stealthily.

The malware’s newest model additionally options batter evasion, now particularly checking for the presence of Frida, a dynamic instrumentation toolkit widespread amongst safety analysts.

It additionally checks the system root standing, searches for particular binaries related to it, verifies if the system partition is mounted as read-only, and checks if improvement settings and ADB are enabled on the system.

The Mandrake risk stays alive, and whereas the 5 apps recognized as droppers by Kaspersky are now not accessible on Google Play, the malware might return by way of new, harder-to-detect apps.

Android customers are beneficial solely to put in apps from respected publishers, test consumer feedback earlier than putting in, keep away from granting requests for dangerous permissions that appear unrelated to an app’s operate, and be sure that Play Shield is all the time energetic.

Google shared the next assertion in regards to the malicious apps discovered on Google Play.

“Google Play Shield is constantly enhancing with every app recognized. We’re all the time enhancing its capabilities, together with upcoming stay risk detection to assist fight obfuscation and anti-evasion methods,” Google advised BleepingComputer.

“Android customers are robotically protected in opposition to identified variations of this malware by Google Play Shield, which is on by default on Android gadgets with Google Play Companies. Google Play Shield can warn customers or block apps identified to exhibit malicious habits, even when these apps come from sources outdoors of Play.”