Security Experts:

'Mandrake' Android Spyware Remained Undetected for 4 Years

Security researchers at Bitdefender have identified a highly sophisticated Android spyware platform that managed to remain undetected for four years.

Dubbed Mandrake, the platform targets only specific devices, as its operators are keen on remaining undetected for as long as possible. Thus, the malware avoids infecting devices in countries that might bring no benefit for the attackers.

Over the past four years, the platform has received numerous updates, with new features being constantly added, and obsolete ones being removed. Under continuous development, the malware framework is highly complex, Bitdefender’s security researchers say.

Mandrake provides attackers with complete control over an infected device, allowing them to turn down the volume, block calls and messages, steal credentials, exfiltrate data, transfer money, record the screen, and blackmail the victim.

“Considering the complexity of the spying platform, we assume that every attack is targeted individually, executed with surgical precision and manual rather than automated. Weaponization would take place after a period of total monitoring of the device and victim,” Bitdefender explains.

Mandrake looks like an advanced espionage platform, but the security researchers believe the campaign is rather financially motivated. During their investigation, they observed phishing attacks targeting an Australian investment trading app, crypto-wallet apps, the Amazon shopping application, banking software, payment apps, an Australian pension fund app, and Gmail.

Mandrake infections happened in two waves, the researchers say. The first took place in 2016 and 2017, and a second between 2018 and 2020, with most of the victims located in Australia, Europe, and the Americas. Australia appears to be the most targeted.

According to Bitdefender, the current wave likely made tens of thousands of victims to date, with hundreds of thousands likely infected over Mandrake’s four-year lifespan. Every victim was likely exposed to some form of data theft, the researchers say.

Seven malicious applications delivering Mandrake were identified in Google Play alone, namely Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope and Car News, each of them having hundreds of thousands of downloads.

To gain users’ trust, the operators pay attention to negative reviews posted for their apps and often deliver fixes for reported issues. They also left the apps mostly ad free, and created a dedicated microsite, along with social media accounts to persuade users to download their apps.

Furthermore, the malicious activity is delayed and works in three stages: dropper, loader and core. The apps published in Google Play represent the dropper, but the loader and the core are delivered at an unpredictable point in time, or never.

The malware avoids about 90 countries from infection and does not run on devices with no SIM or with SIM cards issued by certain operators, including Verizon and China Mobile Communications Corporation (CMCC).

Various anti-emulation and hiding techniques are also employed, along with administrator privileges and the Accessibility Service to ensure persistence following infection. The malware also grants itself a great deal of permissions that allow it to collect and exfiltrate large amounts of data and to track and spy on users.

The malware operators can also erase all traces of compromise by issuing a command to reboot the device and reset it to factory settings, effectively wiping the malware. This command is only called if the malware has admin privileges.

Related: Firm's MDM Server Abused to Deliver Android Malware to 75% of Its Devices

Related: New 'EventBot' Android Malware Targets Nearly 300 Financial Apps

view counter