Kaspersky researchers have identified a new spyware campaign distributing Mandrake malware through Google Play. This campaign has been active for two years, disguising the spyware as legitimate applications related to cryptocurrency, astronomy, and utilities. The spyware has amassed over 32,000 downloads during this period.
Mandrake, first identified in 2020, is a powerful Android espionage platform. The latest variant employs advanced obfuscation techniques to evade detection by Google Play and security software. This allowed the malicious apps, disguised as utilities like file sharing, astronomy services, and games, to remain undetected until April 2024.
The campaign targeted users in various countries, with downloads concentrated in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. The apps have since been taken down from Google Play.
Kaspersky experts believe the culprit behind this campaign is likely the same actor responsible for previous Mandrake attacks based on similarities and C2 server locations.
Details of the Campaign
The new Mandrake samples show significant advancements in evasion techniques. These include moving malicious functions into native libraries using OLLVM, implementing certificate pinning for secure communication with command and control (C2) servers, and performing extensive checks to detect if the malware is running on a real device or an emulated environment.
Kaspersky identified five specific applications on Google Play that contained the Mandrake spyware. These apps include a Wi-Fi file sharing app, an astronomy service app, an Amber game for Genshin, a cryptocurrency app, and a logic puzzle app. Despite being available for over a year, none of these apps were flagged as malware by any security vendors on VirusTotal.
Mandrake’s Stealthy Tactics
This new Mandrake variant utilizes several techniques to remain hidden:
- Obfuscation: Malicious functions are shifted to native libraries, making them harder to analyze.
- Secure Communication: Certificate pinning ensures encrypted communication with command and control servers.
- Anti-Emulation Checks: The malware detects if it’s running in an emulated environment, avoiding sandbox analysis.
Technical Sophistication
The latest Mandrake variant is notable for its advanced cloaking techniques. These techniques are designed to bypass Google Play security checks and prevent analysis by security researchers. This sophistication has allowed the spyware to remain undetected while stealing sensitive information from infected devices.
Geographic Impact
Although the malicious apps have been removed from Google Play, they were downloaded in multiple countries. The highest number of downloads occurred in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
Attribution
The current campaign shares similarities with previous Mandrake operations, including C2 domains registered in Russia. This suggests a high probability that the same threat actor is behind both campaigns.
Security Recommendations
To protect against threats like Mandrake, Kaspersky advises the following:
- Use Official Stores: Download apps only from reputable and official sources. Be cautious, even with official platforms.
- Install Security Software: Utilize reputable antivirus and anti-malware software, such as Kaspersky Premium, to scan and protect devices from threats.
- Stay Informed: Educate yourself about the latest cyber threats and be wary of unsolicited requests for personal or financial information.
