Site icon API Security Blog

Mandrake spyware sneaks onto Google Play again, flying under the radar for two years

Introduction In May 2020, Bitdefender released a white paper containing a detailed analysis of Mandrake, a sophisticated Android cyber-espionage platform, which had been active in the wild for at least four years. In April 2024, we discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any other vendor. The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment. Our findings, in a nutshell, were as follows. After a two-year break, the Mandrake Android spyware returned to Google Play and lay low for two years. The threat actors have moved the core malicious functionality to native libraries obfuscated with OLLVM. Communication with command-and-control servers (C2) uses certificate pinning to prevent capture of SSL traffic. Mandrake is equipped with a diverse arsenal of sandbox evasion and anti-analysis techniques. Kaspersky products detect this threat as HEUR:Trojan-Spy.AndroidOS.Mandrake.* . Technical details Background The original Mandrake campaign with its two major infection waves, in 2016–2017 and…Read More

Exit mobile version