Mandrake Spyware Hidden in Google Play Apps Since 2022

A new variant of the Android spyware 'Mandrake' has been discovered in five apps that were downloaded 32,000 times from Google Play, the official app store for Android devices. Bitdefender initially uncovered Mandrake in 2020 and noted its advanced spying capabilities, revealing that it had been in circulation since at least 2016.

According to Kaspersky, the latest version of Mandrake has improved obfuscation and evasion techniques, enabling it to infiltrate Google Play through five apps submitted to the store in 2022. These apps remained available for over a year, with the most popular and infected one, AirFS, being removed at the end of March 2024.

Kaspersky has identified the five apps carrying Mandrake as follows:

1. AirFS – File sharing via Wi-Fi by it9042 (30,305 downloads between April 28, 2022, and March 15, 2024)
2. Astro Explorer by shevabad (718 downloads from May 30, 2022, to June 6, 2023)
3. Amber by kodaslda (19 downloads between February 27, 2022, and August 19, 2023)
4. CryptoPulsing by shevabad (790 downloads from November 2, 2022, to June 6, 2023)
5. Brain Matrix by kodaslda (259 downloads between April 27, 2022, and June 6, 2023)

Kaspersky has found that most of the downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.

Avoiding Being Discovered

Malicious logic in the DEX file of the app is typically found in Android malware, but Mandrake conceals its initial stages in a native library called "libopencv_dnn.so," which is heavily obfuscated using OLLVM.

The library exports functions to load the second-stage loader DEX into memory and decrypt it from its assets folder after the malicious app is installed.

The second step loads a second native library called "libopencv_java3.so," which decrypts a certificate for secure communications with the command and control (C2) server and requests permissions to draw overlays.

After connecting to the C2, the app sends a device profile and, if it is determined to be appropriate, obtains the third stage of the Mandrake core.

Mandrake spyware can carry out a wide range of malicious tasks, such as data collection, screen recording and monitoring, command execution, simulating user swipes and taps, file management, and app installation, once the core component is activated.

Notably, threat actors can trick users into installing dangerous files through what appears to be a reliable process by posing as Google Play notifications, which will prompt users to install more malicious APKs.

According to Kaspersky, the malware also gets around Android 13's (and later) prohibitions against installing APKs from unofficial sources by using the session-based installation technique.

Similar to other malware for Android, Mandrake may request permission from the user to operate covertly in the background and conceal the icon of the dropper app on the target device.

In addition to battery evasion, the most recent version of the malware now specifically looks for Frida, a dynamic instrumentation toolkit that security analysts find useful.

In addition, it looks for specific binaries linked to the device, confirms that the system partition is mounted as read-only, and examines whether ADB and development settings are enabled on the device.

The five apps that Kaspersky found to be droppers are no longer available on Google Play, but the malware may resurface in the form of new, more difficult-to-detect apps, indicating that the Mandrake threat is still present.

It is advised that Android users install apps only from reliable publishers, read user reviews before installing, decline requests for dubious permissions that don't seem to be related to the app's purpose, and always keep Play Protect turned on.

Regarding the malicious apps that can be found on Google Play, Google released the following statement:

"With every app detected, Google Play Protect gets better and better. We're constantly improving its capabilities, including upcoming live threat detection to help combat obfuscation and anti-evasion techniques."

"Google Play Protect, which is turned on by default on Android devices with Google Play Services, automatically defends Android users against known versions of this malware. Even when apps are downloaded from sources other than Play, Google Play Protect has the ability to alert users or prohibit apps that are known to behave maliciously."