Kaspersky researchers have uncovered a new version of the notorious Mandrake spyware, revealing advanced obfuscation techniques that allowed it to bypass Google Play’s security checks and remain undetected for two years.
First identified in 2020, Mandrake has been an active Android espionage platform since at least 2016. The latest variant, detected in April 2024, showcases enhanced functionality and evasion capabilities that have raised concerns among cybersecurity experts.
The new Mandrake samples employ several advanced techniques to avoid detection:
- Shifting malicious functions to obfuscated native libraries using OLLVM
- Implementing certificate pinning for secure communication with command and control (C2) servers
- Conducting extensive checks to detect rooted devices or emulated environments
Tatyana Shishkova, Lead Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT), commented:
“After evading detection for four years in its initial versions, the latest Mandrake campaign remained undetected on Google Play for an additional two years.
This demonstrates the advanced skills of the threat actors involved. It also highlights a troubling trend: as restrictions tighten and security checks become more rigorous, the sophistication of threats penetrating official app stores increases, making them more challenging to detect.”
Kaspersky’s investigation revealed five applications containing the Mandrake spyware, which collectively amassed over 32,000 downloads. These apps, all published on Google Play in 2022, were available for at least a year and masqueraded as legitimate applications:
- A Wi-Fi file-sharing app
- An astronomy services app
- An ‘Amber for Genshin’ game
- A cryptocurrency app
- A logic puzzles app
As of July 2024, none of these apps were flagged as malware by any vendor on VirusTotal—underscoring the effectiveness of Mandrake’s obfuscation techniques.
While the malicious applications are no longer available on Google Play, they were widely distributed across multiple countries. The majority of downloads occurred in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
The persistent nature of the Mandrake threat actor is evident in the similarities between the current and previous campaigns. Kaspersky researchers noted that the C2 domains were registered in Russia, leading them to conclude with high confidence that the same threat actor identified in Bitdefender’s initial detection report is behind this latest campaign.
(Photo by Rayner Simpson)
See also: Images weaponised in latest supply chain attack
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.