A new variant of the Mandrake spyware has been discovered on Google Play, hiding in legitimate-looking apps related to cryptocurrency, astronomy, and utility tools. This spyware has been active since 2016, with its latest version evading detection through advanced obfuscation and evasion techniques.
Mandrake was found in five applications, which were available on Google Play from 2022 to 2024, amassing over 32,000 downloads. The apps were downloaded primarily in countries like Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. The spyware uses a complex multi-stage infection process involving native libraries to bypass Google Play's security checks. It requests permissions for activities such as screen recording, data collection, and command execution, allowing it to perform various malicious actions on infected devices.
The spyware's evasion techniques include using obfuscated native libraries, certificate pinning for secure communication, and extensive checks to detect if it's running on a rooted device or within an emulated environment. The malware can also mimic Google Play notifications to trick users into installing additional malicious APKs.
Although the identified malicious apps have been removed from Google Play, the threat remains, and users are advised to install apps only from reputable publishers, check user reviews, and avoid granting unnecessary permissions. Google Play Protect has been enhanced to combat such threats, providing automatic protection against known malware versions.
For more details, you can refer to the articles on The Hacker News, IT-Online, and Bleeping Computer.
Mandrake was found in five applications, which were available on Google Play from 2022 to 2024, amassing over 32,000 downloads. The apps were downloaded primarily in countries like Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. The spyware uses a complex multi-stage infection process involving native libraries to bypass Google Play's security checks. It requests permissions for activities such as screen recording, data collection, and command execution, allowing it to perform various malicious actions on infected devices.
The spyware's evasion techniques include using obfuscated native libraries, certificate pinning for secure communication, and extensive checks to detect if it's running on a rooted device or within an emulated environment. The malware can also mimic Google Play notifications to trick users into installing additional malicious APKs.
Although the identified malicious apps have been removed from Google Play, the threat remains, and users are advised to install apps only from reputable publishers, check user reviews, and avoid granting unnecessary permissions. Google Play Protect has been enhanced to combat such threats, providing automatic protection against known malware versions.
For more details, you can refer to the articles on The Hacker News, IT-Online, and Bleeping Computer.