HQ/EMEAFind out how we can help your business
A new version of the Mandrake spyware has already infected numerous devices via Google Play applications.
According to reports, the new version of this sophisticated Android cyber-espionage malware used at least five Google Play applications from 2022 to 2024. The delayed identification of this malware has resulted in the infection of over 32,000 devices after gathering thousands of downloads on the official app store.
The new Mandrake spyware acquired improved obfuscation and evasion capabilities.
The new version of the Mandrake spyware could move harmful functionalities to obfuscated native libraries by leveraging certificate pinning for secure connections with C2 servers and performing various checks to avoid detection on rooted devices.
On the other hand, the apps that stored the malware reportedly remained on Google Play for up to two years. One of the most popular apps from this campaign, called AirFS, received more than 30,000 installations before being removed in March 2024.
Furthermore, the new Mandrake version uses a multi-stage infection chain, initially disguised within a native library, making it more challenging to assess than past campaigns in which the first stage was in the DEX.
The initial investigation of the attack stated that the first-stage library decrypts and loads the second stage, establishing communication with the command-and-control server. If necessary, the C2 server prompts the device to download and execute the core malware, designed to steal user passwords and install more malicious programs.
Researchers also revealed that Mandrake’s evasion techniques have improved since it now checks for emulation environments, rooted devices, and the existence of analysis tools. Hence, these new upgrades make it difficult for researchers to identify and study the malware.
The Mandrake authors also took a new method for data encryption and decryption since they now combine unique techniques with regular AES encryption.
This spyware constantly changes, increasing its evasive techniques, avoiding sandboxes, and bypassing new defence systems employed by different entities. These new features show the sophistication and improvement of malware developers, making their malicious tools a more significant threat to various users, especially Android device owners, worldwide.
