-3.2 C
New York

Kaspersky Uncovers New Mandrake Spyware Campaign with Over 32,000 Installs on Google Play

Kaspersky researchers have identified a new spyware campaign distributing Mandrake malware through Google Play. This campaign has been active for two years, disguising the spyware as legitimate applications related to cryptocurrency, astronomy, and utilities. The spyware has amassed over 32,000 downloads during this period​.

Mandrake, first identified in 2020, is a powerful Android espionage platform. The latest variant employs advanced obfuscation techniques to evade detection by Google Play and security software. This allowed the malicious apps, disguised as utilities like file sharing, astronomy services, and games, to remain undetected until April 2024.

The campaign targeted users in various countries, with downloads concentrated in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. The apps have since been taken down from Google Play.

Kaspersky experts believe the culprit behind this campaign is likely the same actor responsible for previous Mandrake attacks based on similarities and C2 server locations.

Details of the Campaign

The new Mandrake samples show significant advancements in evasion techniques. These include moving malicious functions into native libraries using OLLVM, implementing certificate pinning for secure communication with command and control (C2) servers, and performing extensive checks to detect if the malware is running on a real device or an emulated environment​.

Kaspersky identified five specific applications on Google Play that contained the Mandrake spyware. These apps include a Wi-Fi file sharing app, an astronomy service app, an Amber game for Genshin, a cryptocurrency app, and a logic puzzle app. Despite being available for over a year, none of these apps were flagged as malware by any security vendors on VirusTotal​.

Mandrake’s Stealthy Tactics

This new Mandrake variant utilizes several techniques to remain hidden:

  • Obfuscation: Malicious functions are shifted to native libraries, making them harder to analyze.
  • Secure Communication: Certificate pinning ensures encrypted communication with command and control servers.
  • Anti-Emulation Checks: The malware detects if it’s running in an emulated environment, avoiding sandbox analysis.

Technical Sophistication

The latest Mandrake variant is notable for its advanced cloaking techniques. These techniques are designed to bypass Google Play security checks and prevent analysis by security researchers. This sophistication has allowed the spyware to remain undetected while stealing sensitive information from infected devices​.

Geographic Impact

Although the malicious apps have been removed from Google Play, they were downloaded in multiple countries. The highest number of downloads occurred in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK​​.

Attribution

The current campaign shares similarities with previous Mandrake operations, including C2 domains registered in Russia. This suggests a high probability that the same threat actor is behind both campaigns​.

Security Recommendations

To protect against threats like Mandrake, Kaspersky advises the following:

  • Use Official Stores: Download apps only from reputable and official sources. Be cautious, even with official platforms.
  • Install Security Software: Utilize reputable antivirus and anti-malware software, such as Kaspersky Premium, to scan and protect devices from threats​.
  • Stay Informed: Educate yourself about the latest cyber threats and be wary of unsolicited requests for personal or financial information.

Subscribe

Related articles

How Companies Lose Millions of Dollars to Phishing

IBM’s latest Cost of a Data Breach report identifies...

API Abuse and Bots: The Overlooked Threat to Digital Infrastructure

There are many threats to digital infrastructure in 2024,...

Historic Malware Breaches That Shook the World of Tech

Technology has moved so fast from the early days...

How Businesses Can Strengthen Their Cybersecurity

It’s no longer if you will be breached, but...
About Author
Abhinandan Jain
Abhinandan Jain
Abhinandan, an e-commerce student by day and a tech enthusiast by night, became a part of Alltech through our Student Skill Development Initiative. With a deep fascination for emerging markets like AI and robotics, he is a passionate advocate for the transformative potential of technology to make a positive global impact. Committed to utilizing his skills to further this cause.