Researchers from Kaspersky have uncovered a sophisticated spyware campaign utilizing Mandrake malware, which has been distributed through seemingly legitimate apps on Google Play.
32,000 Devices Infected
Accordign to Ziare over 32,000 devices have been infected by Mandrake, which had remained undetected for two years due to advanced camouflage techniques employed by the hackers.
Mandrake, first identified by Bitdefender in 2020, was recognized as a sophisticated Android spyware active since 2016. The latest findings from Kaspersky, revealed in April 2024, indicate an updated version of Mandrake with enhanced features designed to evade detection and analysis.
These Apps are Infected
Key to the new Mandrake variant is its advanced camouflage strategies. These include:
Native Library Integration: The malware moves its malicious functionalities into native libraries, complicating detection by security systems.
Certificate Pinning: This technique secures communications with Command and Control (C2) servers, preventing data interception.
Advanced Testing: The malware conducts various tests to determine if it is running on a real device or in a virtualized environment, making analysis more difficult.
Kaspersky identified five infected applications on Google Play that contained Mandrake spyware. These apps, available for download for over a year, were:
AirFS (com.airft.ftrnsfr)
Amber (com.shrp.sght)
Astro Explorer (com.astro.dscvr)
Brain Matrix (com.brnmth.mtrx)
CryptoPulsing (com.cryptopulsing.browser)
