Kaspersky researchers have discovered a new variant of the Mandrake spyware, which evaded detection on Google Play from 2022 to 2024, accumulating over 32,000 installs. This latest version showcases advanced obfuscation and evasion techniques, allowing it to remain undetected by security vendors.
The resurgence of Mandrake was first noted in April 2024 when Kaspersky analysts identified a suspicious sample. Upon investigation, five applications were found to contain the spyware, with the most downloaded app, AirFS, amassing over 30,000 downloads. These apps utilized advanced obfuscation, including moving malicious functionality to obfuscated native libraries and using certificate pinning for secure communications, making them difficult to analyze and detect.
The following applications were identified as carriers of Mandrake spyware:
- AirFS (com.airft.ftrnsfr): Over 30,000 downloads
- Astro Explorer (com.astro.dscvr)
- Amber (com.shrp.sght)
- CryptoPulsing (com.cryptopulsing.browser)
- Brain Matrix (com.brnmth.mtrx)
Most of the spyware installations were in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. Based on similarities with previous campaigns and the use of C2 domains registered in Russia, it is believed that the same threat actors behind earlier Mandrake campaigns are responsible for this resurgence.
Kaspersky
Mandrake technical breakdown
Mandrake's infection chain is multi-staged, comprising dropper, loader, and core components. Initially, the dropper stage, concealed within the native library libopencv_dnn.so, decrypts and loads the next stage. The loader stage then decrypts and initiates the core component, which performs the primary malicious activities. These activities include stealing credentials, reporting installed applications, and performing automated actions on web pages.
The latest variant of Mandrake employs sophisticated evasion tactics. For starters, the core malicious functionality is hidden within native libraries obfuscated using OLLVM, complicating reverse engineering. The spyware conducts extensive checks to avoid running in emulated environments or on rooted devices, targeting only genuine user devices. Mandrake is also able to detect the presence of debugging tools like Frida, terminating execution if such tools are found.
Defense measures
To mitigate the risk of Mandrake and similar threats, users and organizations should follow some basic protection measures on Android.
- Only download apps from reputable developers and verify their legitimacy through reviews and ratings.
- Avoid downloading APKs from outside Google Play, as the likelihood of malware infection increases.
- Keep the OS and applications updated to protect against known vulnerabilities.
- Restrict app permissions to only those necessary for the app's functionality.
- Regularly scan the device using Google Play Protect.
HealthEquity Data Breach Impacts 4.3 Million Individuals
Leave a Reply