Kaspersky researchers have uncovered the resurgence of the Mandrake Android spyware, which has been active on the Google Play Store for the past two years, accumulating over 32,000 downloads through five different applications. First brought to light in 2020, Mandrake has returned with enhanced obfuscation techniques to circumvent security measures and complicate analysis.
Mandrake initially garnered attention with significant infection waves between 2016-2017 and 2018-2020. Bitdefender’s detailed analysis in May 2020 highlighted its extensive capabilities and widespread impact. Despite these revelations, Mandrake has re-emerged with new samples that demonstrate improved evasion techniques and sophisticated obfuscation, allowing it to bypass Google Play’s security protocols.
In April 2024, Kaspersky detected a new variant of Mandrake. This led to the identification of five infected applications on Google Play, which have collectively achieved over 32,000 downloads since 2022. These applications include:
- AirFS: A file-sharing app with over 30,000 downloads.
- Astro Explorer: A stargazing app.
- Amber: A photo editing app.
- CryptoPulsing: A cryptocurrency tracker.
- Brain Matrix: A brain-training game.
AirFS stands out as the most prominent, masquerading as a legitimate file-sharing tool while serving as a platform for espionage.
The new Mandrake variant utilizes advanced obfuscation strategies. Key malicious functionalities have been relocated to obfuscated native libraries, complicating the analysis process. Communication with command-and-control (C2) servers employs certificate pinning, preventing SSL traffic interception. Additionally, the spyware performs extensive checks to avoid sandbox environments and detect rooted devices or emulators.
The infection chain of Mandrake operates in stages: dropper, loader, and core. In the latest campaign, the initial malicious activity is concealed within the native library libopencv_dnn.so, which decrypts the next stage (loader) from the assets/raw folder. The application then requests permissions to draw overlays and collects detailed device information to decide on subsequent actions.
Mandrake’s primary objectives include stealing user credentials and executing further malicious applications. The spyware employs various commands to interact with the infected device, ranging from gathering system information to manipulating web views for credential theft.
These malicious applications have been downloaded in multiple countries, with significant numbers in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
