Security researchers have found a new version of the Android spyware ‘Mandrake’, a sophisticated Android ‘cyber-espionage’ malware tool. In May 2020, Bitdefender initially analyzed the malware that had gone undetected for at least 4 years.
In April 2024, Kaspersky found some suspicious samples that later turned out to be the new version of Mandrake. The analysis revealed that it was found in five applications, available on Google Play from 2022 to 2024, with more than 32,000 installations on the app store.
Yesterday, the advisory issued by Kaspersky found that the new samples demonstrated enhanced bafflement and evasion tactics.
These tactics included moving malicious functions, muddying native libraries, using certificate pinning for secure communications with C2 servers, and performing various tests to find out whether it ran on rooted or emulated devices.
Those apps were available on the Google app for two years, and AirFS, being the last of them, accumulated over 30,000 installations and eventually got taken down at the end of March 2024.
Unlike typical malware, Mandrake works on a multi-stage infection chain and hides its initial stage in a native library, making it harder to locate the first stage in the DEX file.
Then, the first-stage library decrypts the second-stage loader DEX and communicates with the C2 server. If it’s required, the server commands the device to download and execute the malware, which steals user credentials and installs more malicious applications on the device.
Kaspersky voiced his opinions, “The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion, and bypassing new defense mechanisms. After the applications of the first campaign stayed undetected for four years, the current campaign lurked in the shadows for two years while still available for download on Google Play.”
He further added, “This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces.”
