The latest variant of the Android spyware dubbed Mandrake still exists, despite being discovered in 2022.
Security experts are ringing alarm bells against the situation as it was said to be present in five apps across the Google Play Store where downloads hit the 32,000 mark.
We first heard about the spyware in 2022 where Bitdefender shed light on its capabilities and how strong and sophisticated it was in terms of spying. They noted how it operated in the wild since the start of 2016.
As reported by Kaspersky, a newer version of the Mandrake exists and has more features that prevent its detection and obfuscation from Google’s Play Store. It managed to sneak into five apps and those platforms were present for nearly an entire year.
One of those included AirFS which was great in terms of success and popularity but ended up getting removed in March of this year. But still, we’re getting more news on which apps to avoid, and then include AirFS, Astro Explorer, Amber, Brain Matrix, and CryptoPulsing.
Cybersecurity experts mentioned how a lot of the downloads arise from places like Spain, the United Kingdom, Canada, Mexico, Peru, and Italy.
So what’s the solution in terms of evading detection? Classic Android malware isn’t the maneuver being used here. This particular spyware puts a lot of malicious logic into the platform’s DEX file. It hides the starting stage inside the native library and that obstructs using the OLLVM.
After downloading this malware, you’ll see the library exporting various features for decryption the second stage loader from the file for assets and then that loads it inside the memory drive.
Meanwhile, the second step needs permission to produce overlays and load another native library. This would decrypt certificates and various communications using the command and control buttons.
Having the right communications with C2, the platform rolls out device profiles and receives core components with Mandrake’s third stage, if and when it finds it suitable.
Once the core feature gets activated, the spyware would carry out a wide array of malicious activities such as collecting the user’s data, monitoring their actions, screen recording, copying their taps and swiping actions, managing files, installing apps, and executing various commands.
What’s even more alarming is how the threat actors prompt the user to further go on installing more malicious apps and APKs by putting out alerts that copy Google Play. This tricks users into downloading more unsafe content through a process that might appear reliable.
If that is not enough, the malware uses installation methods that are session-based. This is designed to bypass the Android 13’s and newer restrictions through APK installations when unofficial sources are used.
Similar to other Android malware, it can request users to put out permission for running backgrounds and hide the dropper platform’s icon present on the victim’s device. This ensures it keeps working without error.
The newest variant of this malware entails even better features for avoiding detection and carrying out evasion in a specific manner. It goes about checking Frida toolkits that are famous amongst security experts.
Other than that, it can check the status of device roots and carry out searches for particular binaries linked to it. The system participation gets verified and that’s mounted in the read-only manner which checks the development settings and enables them through the user’s device.
The threat is very much there and while all five platforms were identified by experts and aren’t present on the Google Play Store anymore, this could come back and infect those apps which are much harder to detect.
For this reason, security experts have warned users to only download reliable and trustworthy platforms from authentication locations and publishers and also to review the comments and feedback of others before making the decision to download. This eliminates the massive risk to a huge extent. Similarly, having your Play Protect active at all times is another step that should be carried out.
Google Play says it’s working continuously with cybersecurity experts to better every app identified. It wants to better the capabilities on offer such as live threats to better combat techniques that such threat actors use for evasion.
Image: DIW-Aigen
Read next: Hundreds Of Websites Fail To Block Scraping Bots Because They Keep Multiplying
Security experts are ringing alarm bells against the situation as it was said to be present in five apps across the Google Play Store where downloads hit the 32,000 mark.
We first heard about the spyware in 2022 where Bitdefender shed light on its capabilities and how strong and sophisticated it was in terms of spying. They noted how it operated in the wild since the start of 2016.
As reported by Kaspersky, a newer version of the Mandrake exists and has more features that prevent its detection and obfuscation from Google’s Play Store. It managed to sneak into five apps and those platforms were present for nearly an entire year.
One of those included AirFS which was great in terms of success and popularity but ended up getting removed in March of this year. But still, we’re getting more news on which apps to avoid, and then include AirFS, Astro Explorer, Amber, Brain Matrix, and CryptoPulsing.
Cybersecurity experts mentioned how a lot of the downloads arise from places like Spain, the United Kingdom, Canada, Mexico, Peru, and Italy.
So what’s the solution in terms of evading detection? Classic Android malware isn’t the maneuver being used here. This particular spyware puts a lot of malicious logic into the platform’s DEX file. It hides the starting stage inside the native library and that obstructs using the OLLVM.
After downloading this malware, you’ll see the library exporting various features for decryption the second stage loader from the file for assets and then that loads it inside the memory drive.
Meanwhile, the second step needs permission to produce overlays and load another native library. This would decrypt certificates and various communications using the command and control buttons.
Having the right communications with C2, the platform rolls out device profiles and receives core components with Mandrake’s third stage, if and when it finds it suitable.
Once the core feature gets activated, the spyware would carry out a wide array of malicious activities such as collecting the user’s data, monitoring their actions, screen recording, copying their taps and swiping actions, managing files, installing apps, and executing various commands.
What’s even more alarming is how the threat actors prompt the user to further go on installing more malicious apps and APKs by putting out alerts that copy Google Play. This tricks users into downloading more unsafe content through a process that might appear reliable.
If that is not enough, the malware uses installation methods that are session-based. This is designed to bypass the Android 13’s and newer restrictions through APK installations when unofficial sources are used.
Similar to other Android malware, it can request users to put out permission for running backgrounds and hide the dropper platform’s icon present on the victim’s device. This ensures it keeps working without error.
The newest variant of this malware entails even better features for avoiding detection and carrying out evasion in a specific manner. It goes about checking Frida toolkits that are famous amongst security experts.
Other than that, it can check the status of device roots and carry out searches for particular binaries linked to it. The system participation gets verified and that’s mounted in the read-only manner which checks the development settings and enables them through the user’s device.
The threat is very much there and while all five platforms were identified by experts and aren’t present on the Google Play Store anymore, this could come back and infect those apps which are much harder to detect.
For this reason, security experts have warned users to only download reliable and trustworthy platforms from authentication locations and publishers and also to review the comments and feedback of others before making the decision to download. This eliminates the massive risk to a huge extent. Similarly, having your Play Protect active at all times is another step that should be carried out.
Google Play says it’s working continuously with cybersecurity experts to better every app identified. It wants to better the capabilities on offer such as live threats to better combat techniques that such threat actors use for evasion.
Image: DIW-Aigen
Read next: Hundreds Of Websites Fail To Block Scraping Bots Because They Keep Multiplying
