Kaspersky researchers have identified a new spyware campaign distributing Mandrake malware through Google Play under the guise of legitimate apps related to cryptocurrency, astronomy, and utility tools. Kaspersky experts have discovered five Mandrake applications on Google Play, which were available for two years, with more than 32,000 downloads. The latest samples feature advanced obfuscation and advanced evasion techniques, enabling them to remain undetected by security vendors.
First identified in 2020, Mandrake spyware is a sophisticated Android espionage platform that has been active since at least 2016. In April 2024, Kaspersky researchers uncovered a suspicious sample, suggesting a new version of Mandrake with enhanced functionality. These new samples feature advanced obfuscation and evasion techniques, including shifting malicious functions to obfuscated native libraries using OLLVM, implementing certificate pinning for secure communication with command and control (C2) servers, and conducting extensive checks to detect whether Mandrake is operating on a rooted device or within an emulated environment.
The key distinguishing feature of the new Mandrake variant is the addition of advanced obfuscation techniques designed to bypass Google Play’s security checks and hinder analysis. Company’s experts identified five applications containing the Mandrake spyware, collectively downloaded more than 32,000 times. These apps, all published on Google Play in 2022, were available for download for at least a year. They were presented as a file-sharing app via Wi-Fi, an astronomy services app, an Amber for Genshin game, a cryptocurrency app and app with logic puzzles. As of July 2024, none of these apps have been detected as malware by any vendor, according to VirusTotal.
While these malicious applications are no longer available in Google Play, they were available in a wide range of countries with the majority of downloads happening in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
“After evading detection for four years in its initial versions, the latest Mandrake campaign remained undetected on Google Play for an additional two years. This demonstrates the advanced skills of the threat actors involved. It also highlights a troubling trend: as restrictions tighten and security checks become more rigorous, the sophistication of threats penetrating official app stores increases, making them more challenging to detect,” comments Tatyana Shishkova, Lead Security Researcher at Kaspersky’s GReAT (Global Research and Analysis Team).