Beware of Malicious Mandrake Apps on Google Play With Over 32,000 Installs

A sophisticated Android spyware campaign known as Mandrake has reappeared on the Google Play Store, infecting over 32,000 devices between 2022 and 2024.

Mandrake has returned after a two-year hiatus with its most recent campaign. To prevent discovery, the malware remains inactive on the victims' phones for extended periods of time.

The AirFS app has over 30,000 installations. However, it was pulled from the shelves in March 2024.

The infected programs, disguised as normal software, include:

• AirFS (30.305 downloads)
• Astro Explorer (718 downloads)
• Amber (19 Downloads)
• Cryptopulsing (790 downloads)
• Brain Matrix (259 Downloads)
  
  

Mandrake is a powerful cyber-espionage platform that has been operating since at least 2016. This current version leverages sophisticated evasion strategies, including as relocating malicious code to obfuscated native libraries and utilizing certificate pinning for command-and-control connections. These tactics enabled the malware to go undiscovered by security providers for years, stealing sensitive user data.

Mandrake is an advanced cyber-espionage platform capable of hacking Android smartphones. Once deployed, it is capable of:

• Steal account credentials and critical information.
• Record the device's screen.
• Track the GPS location.
• Access your SMS messages and contact lists.
• Install or uninstall additional applications.
• Start phone calls.
• Perform screen sharing with remote access.

Mandrake is particularly nasty because of its specific targeting. The malware does not infect every device installed; rather, it selects victims based on parameters such as geographic location and device characteristics. This method allowed it to remain under the radar for so long.

According to the researchers, "the Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion, and bypassing new defense mechanisms."

The infection process occurs in stages. Initially, the "dropper" app appears innocent. Later, it downloads more pieces that include the entire deadly payload. This multistage technique makes it much more difficult to detect the infection.

The majority of illnesses were detected in Canada, Germany, and other European countries, but the threat is global. Users worldwide should use caution when downloading new or unknown programs, including from certified sources such as Google Play.

Users are cautioned to use caution while downloading new apps, particularly from unfamiliar developers. Always check app permissions carefully, and be wary of programs that want excessive access to device operations.

Google has since deleted the rogue apps from its Play Store. Users who may have installed these applications should uninstall them immediately and do a security scan on their devices.

Source: Cyber Security News 

#cybersecurity #cybersecuritynews #malware  #Android