There’s Dangerous Malware Hiding for Years on Google Play
Morrissey Technology – Security researchers at Kaspersky discovered malware, or rather spyware, called Mandrake hiding inside an application on Google Play. This spyware was found in crypto asset, astronomy and utility tools applications, which are available officially within Google Play. What’s worse, Mandrake has been available for two years and has been downloaded 32 thousand times.
The sample studied by Kaspersky featured advanced obfuscation and evasion techniques, allowing it to remain undetected by security vendors. Interestingly, Mandrake is not new spyware at all. Its action was first discovered in 2020 by BitDefender, which at that time discovered that this spyware infected in two large waves.
Applications compromised by Mandrake were first available on Google Play between 2016-2017, and then appeared again between 2018-2020. And, the ultimate ability of this spyware is that it can operate without being detected by Google, which can then infect large numbers of users, reaching hundreds of thousands of victims over four years. This espionage malware was then discovered again by Kaspersky researchers in April 2024 with more sophisticated capabilities.
“This new sample features advanced obfuscation and evasion techniques, including redirecting malicious functions to native obfuscated libraries using OLLVM, implementing certificate pinning for secure communication with command and control (C2) servers, and performing extensive checks to detect whether Mandrake is operating on rooted devices or in an emulated environment,” Kaspersky wrote.
The applications infiltrated by Mandrake this time were all published on Google Play in 2022. These applications are presented as file sharing applications via Wi-Fi, astronomy service applications, Amber for Genshin games, crypto asset applications, and applications with logic puzzles . As of July 2024, none of these apps had been detected as malware by any vendor, according to VirusTotal. Although it is no longer on Google Play, the app has been available for a long time, and was most downloaded in Canada, Germany, Italy, Mexico, Spain, Peru and the UK.
“After evading detection for four years in its initial version, the latest Mandrake campaign remained undetected on Google Play for another two years. This demonstrates the sophisticated skills of the threat actors involved. It also highlights a troubling trend: as restrictions and security checks tighten “As regulations become more stringent, the sophistication of threats that slip through official app stores increases, making them increasingly difficult to detect,” said Tatyana Shishkova, principal security researcher at Kaspersky’s GReaT (global research and analysis team).