Connect with us

Hi, what are you looking for?



‘Mandrake’ Android Spyware Remained Undetected for 4 Years

Security researchers at Bitdefender have identified a highly sophisticated Android spyware platform that managed to remain undetected for four years.

Security researchers at Bitdefender have identified a highly sophisticated Android spyware platform that managed to remain undetected for four years.

Dubbed Mandrake, the platform targets only specific devices, as its operators are keen on remaining undetected for as long as possible. Thus, the malware avoids infecting devices in countries that might bring no benefit for the attackers.

Over the past four years, the platform has received numerous updates, with new features being constantly added, and obsolete ones being removed. Under continuous development, the malware framework is highly complex, Bitdefender’s security researchers say.

Mandrake provides attackers with complete control over an infected device, allowing them to turn down the volume, block calls and messages, steal credentials, exfiltrate data, transfer money, record the screen, and blackmail the victim.

“Considering the complexity of the spying platform, we assume that every attack is targeted individually, executed with surgical precision and manual rather than automated. Weaponization would take place after a period of total monitoring of the device and victim,” Bitdefender explains.

Mandrake looks like an advanced espionage platform, but the security researchers believe the campaign is rather financially motivated. During their investigation, they observed phishing attacks targeting an Australian investment trading app, crypto-wallet apps, the Amazon shopping application, banking software, payment apps, an Australian pension fund app, and Gmail.

Mandrake infections happened in two waves, the researchers say. The first took place in 2016 and 2017, and a second between 2018 and 2020, with most of the victims located in Australia, Europe, and the Americas. Australia appears to be the most targeted.

Advertisement. Scroll to continue reading.

According to Bitdefender, the current wave likely made tens of thousands of victims to date, with hundreds of thousands likely infected over Mandrake’s four-year lifespan. Every victim was likely exposed to some form of data theft, the researchers say.

Seven malicious applications delivering Mandrake were identified in Google Play alone, namely Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope and Car News, each of them having hundreds of thousands of downloads.

To gain users’ trust, the operators pay attention to negative reviews posted for their apps and often deliver fixes for reported issues. They also left the apps mostly ad free, and created a dedicated microsite, along with social media accounts to persuade users to download their apps.

Furthermore, the malicious activity is delayed and works in three stages: dropper, loader and core. The apps published in Google Play represent the dropper, but the loader and the core are delivered at an unpredictable point in time, or never.

The malware avoids about 90 countries from infection and does not run on devices with no SIM or with SIM cards issued by certain operators, including Verizon and China Mobile Communications Corporation (CMCC).

Various anti-emulation and hiding techniques are also employed, along with administrator privileges and the Accessibility Service to ensure persistence following infection. The malware also grants itself a great deal of permissions that allow it to collect and exfiltrate large amounts of data and to track and spy on users.

The malware operators can also erase all traces of compromise by issuing a command to reboot the device and reset it to factory settings, effectively wiping the malware. This command is only called if the malware has admin privileges.

Related: Firm’s MDM Server Abused to Deliver Android Malware to 75% of Its Devices

Related: New ‘EventBot’ Android Malware Targets Nearly 300 Financial Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...