Facepalm: Mandrake is a recurring cyber threat within the Android mobile ecosystem. Researchers discovered Mandrake-infected apps a few years ago, and the malware has now apparently returned with even more sophisticated techniques designed to evade the latest security protections.
The Mandrake malware family was initially discovered by Bitdefender in 2020. The Romanian cybersecurity company detected the threat in two major infection waves, first in fake apps available for download on Google Play in 2016-2017 and again in 2018-2020. Mandrake’s most notable feature was its ability to fly under Google’s radar and infect a large number of users, estimated to be in the “hundreds of thousands” over four years.
The initial waves of Mandrake infections employed several tricks to conceal their presence. The malware was designed to deliver its final, malicious payload to specific, highly targeted victims, and it even contained a “seppuku” kill switch capable of erasing all traces of the infection from a device.
The fake apps hiding the Mandrake malware were fully functional “decoys” in categories such as finance, automotive, video players, and other popular app types. Cybercriminals, or possibly third-party developers recruited for the task, quickly fixed bugs reported by users in the Play Store’s comment section. Additionally, TLS certificates were used to hide communications between the malware and the command and control (C&C) servers.
After claiming its first victims, the Mandrake malware family seemed to disappear from the Android ecosystem. Now, Kaspersky has discovered a new wave of infected apps that are even harder to detect and analyze than before. This “new generation” uses various layers of code obfuscation to prevent analysis and bypass Google’s scanning algorithms, with specific countermeasures against sandbox-based analysis techniques.
Kaspersky noted that the Mandrake authors possess formidable coding skills, making the malware even more challenging to detect and study. The most recent app containing Mandrake was updated on March 15, according to the Russian security firm, and was removed from the app store by the end of the same month. Neither Google nor third-party companies were able to flag these new apps as malicious.
Despite this latest wave of decoy apps, Mandrake’s primary purpose appears to remain unchanged. The malware is designed to steal users’ credentials by recording what’s happening on a phone’s display and sending these recordings to the C&C servers. It is also capable of downloading and executing additional malicious payloads.
Kaspersky has not provided any further information or speculation about the Mandrake authors and their motives. The company identified five different apps carrying the malware, which Google ultimately removed from the Play Store.