New Mandrake Android Malware Variant Evades Detection for Over Two Years on Google Play

Unknown, Unknown United States of America
Core malware steals user credentials and deploys additional malicious applications
First identified in May 2020, latest version discovered in April 2024
Malware moves malicious functions to obfuscated native libraries and performs checks for emulation environments, rooted devices, and analyst tools
Mandrake uses advanced obfuscation and evasion techniques to avoid detection
New Android malware variant Mandrake evaded Google Play detection for over 2 years
New Mandrake Android Malware Variant Evades Detection for Over Two Years on Google Play

In the realm of cybersecurity, a new and sophisticated Android malware variant known as Mandrake has resurfaced on Google Play, managing to evade detection for over two years. This latest version of Mandrake employs advanced obfuscation and evasion techniques that have proven challenging for security researchers to detect.

First discovered in May 2020 by Bitdefender, Mandrake has been a persistent threat since at least 2016. The malware's latest iteration was identified in April 2024 by Kaspersky and found hidden within five applications on Google Play that had collectively amassed over 32,000 downloads.

The new Mandrake variant showcases several improvements compared to its predecessor. It moves malicious functions to obfuscated native libraries, uses certificate pinning for secure C2 communications, and performs various tests to avoid detection on rooted or emulated devices. These enhancements make it significantly more difficult for cybersecurity experts to detect and analyze the malware.

The multi-stage infection process of Mandrake begins with the initial malicious activity being concealed within a native library. The first-stage library then decrypts and loads the second stage, which initiates communication with the command-and-control (C2) server. If deemed necessary, the C2 server instructs the device to download and execute the core malware.

The core malware is designed to steal user credentials and deploy additional malicious applications, expanding its reach and potential for damage. Mandrake's evasion capabilities have become increasingly sophisticated as well, incorporating checks for emulation environments, rooted devices, and the presence of analyst tools.

Google Play Protect has been designed to combat obfuscation and anti-evasion techniques. However, enhancements are planned for future updates to better address these challenges posed by Mandrake and similar threats.

Users can protect themselves against Mandrake and other advanced malware by regularly updating their devices and applications, being cautious when granting permissions to new apps, using reputable mobile security solutions, and avoiding downloading apps from unofficial sources.



Confidence

100%

No Doubts Found At Time Of Publication

Sources

98%

  • Unique Points
    • A new version of the Android spyware Mandrake has been found in five applications downloaded 32,000 times from Google Play.
    • Mandrake hides its initial stage in a native library, 'libopencv_dnn.so', which is heavily obfuscated using OLLVM.
    • Upon installation, the malicious app's library exports functions to decrypt the second-stage loader DEX from its assets folder and load it into memory.
    • Mandrake also uses the session-based installation method to bypass Android 13's restrictions on the installation of APKs from unofficial sources.
    • Like other Android malware, Mandrake can ask for permission to run in the background and hide the dropper app's icon on the victim's device.
    • The malware's latest version features better evasion, now specifically checking for the presence of Frida and verifying if system partitions are mounted as read-only.
    • Google Play Protect is designed to combat obfuscation and anti-evasion techniques, with enhancements planned for future updates.
  • Accuracy
    • Five Mandrake applications with more than 32,000 installs were available on Google Play from 2022 to 2024.
    • New versions of Mandrake included obfuscated native libraries for core malicious functionality.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

97%

  • Unique Points
    • Mandrake spyware returned to Google Play after a two-year break in 2022.
    • New versions of Mandrake included obfuscated native libraries for core malicious functionality.
  • Accuracy
    • Five Mandrake applications with more than 32,000 installs were available on Google Play from 2022 to 2024.
    • Mandrake is equipped with a diverse arsenal of sandbox evasion and anti-analysis techniques.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (95%)
    The author makes several assertions in the article that are not fallacious but do require careful consideration. The author states that Mandrake returned to Google Play after a two-year break and stayed undetected for two years. This is an assertion based on the author's analysis, but it does not contain any logical fallacies. The author also states that the threat actors moved the core malicious functionality to native libraries obfuscated with OLLVM and used certificate pinning for C2 communications. These are statements of fact based on the author's analysis of the new Mandrake samples. However, there is an instance of inflammatory rhetoric when the author describes Mandrake as a 'sophisticated Android cyber-espionage platform' and 'a diverse arsenal of sandbox evasion and anti-analysis techniques.' This language is intended to elicit an emotional response from the reader but does not add any logical substance to the article. Therefore, I am deducting 5 points from the score for this instance of inflammatory rhetoric.
    • Mandrake is a sophisticated Android cyber-espionage platform
    • a diverse arsenal of sandbox evasion and anti-analysis techniques
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

94%

  • Unique Points
    • Mandrake, a sophisticated Android cyber-espionage malware tool, infected over 32,000 devices through five apps on Google Play from 2022 to 2024.
    • New version of Mandrake displayed enhanced obfuscation and evasion tactics such as moving malicious functions to obfuscated native libraries and using certificate pinning for secure communications with C2 servers.
    • Mandrake operates through a multi-stage infection chain that is harder to analyze due to the first stage being hidden within a native library.
    • Threat actors behind Mandrake employed novel approaches to data encryption and decryption using a mix of custom algorithms and standard AES encryption.
    • Mandrake's evasion techniques have become more sophisticated, making it challenging for cybersecurity experts to detect and analyze the malware.
  • Accuracy
    • Mandrake infected over 32,000 devices through five apps on Google Play from 2022 to 2024.
    • The most downloaded app, AirFS, accumulated over 30,000 installations before its removal in March 2024.
  • Deception (95%)
    The article contains several instances of sensationalism and selective reporting. The title 'Mandrake Spyware Infects 32,000 Devices Via Google Play Apps' is misleading as it implies that all 32,000 devices were infected by reading the article we learn that only the apps containing Mandrake were downloaded over 32,00 times. The author also selectively reports on certain aspects of the malware, such as its evasion techniques and number of downloads, while omitting information about its capabilities and targets. Additionally, there are several instances of editorializing in the article such as 'From a technical standpoint' and 'Notably'.
    • The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion and bypassing new defense mechanisms.
    • These applications reportedly remained on Google Play for up to two years, with the most downloaded app, AirFS, accumulating over 30,000 installations before its removal in March 2024.
    • Initially analyzed by Bitdefender in May 2020, Mandrake had operated undetected for at least four years.
    • Mandrake Spyware Infects 32,000 Devices Via Google Play Apps
  • Fallacies (85%)
    The article contains inflammatory rhetoric and appeals to authority. It also uses a dichotomous depiction of the threat actors' skills.
    • . . . amassing over 32,000 downloads while remaining undetected by other cybersecurity vendors.
    • The updated Mandrake samples, described in an advisory published by Kaspersky today, displayed enhanced obfuscation and evasion tactics.
    • Notably, the threat actors behind Mandrake also employed a novel approach to data encryption and decryption, utilizing a mix of custom algorithms and standard AES encryption.
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

98%

  • Unique Points
    • Mandrake is a sophisticated Android spyware campaign that resurfaced on the Google Play Store infecting over 32,000 devices between 2022 and 2024.
    • Mandrake employs sophisticated evasion techniques such as moving malicious code to obfuscated native libraries and using certificate pinning for command-and-control communications.
    • The infected apps include: AirFS (30,305 downloads), Astro Explorer (718 downloads), Amber (19 downloads), CryptoPulsing (790 downloads), Brain Matrix (259 downloads).
    • Mandrake is an advanced cyber-espionage platform that can steal account credentials and sensitive data, record the device screen, track GPS location, access SMS messages and contact lists, install or uninstall other apps, initiate phone calls, and perform screen sharing with remote access.
    • Mandrake targets victims based on factors like geographic location and device characteristics to avoid detection.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (95%)
    The author provides clear and specific information about the Mandrake malware, its capabilities, and the number of installations. There are no apparent logical fallacies or inflammatory rhetoric in the text. However, there is an appeal to authority when mentioning that 'researchers noted' that Mandrake is evolving dynamically and bypassing new defense mechanisms.
    • ][researchers noted] The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion, and bypassing new defense mechanisms.[/
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

99%

  • Unique Points
    • New Mandrake Android malware variant discovered in April 2024 by Kaspersky
    • 'Mandrake's latest variant employs obfuscation and evasion techniques to remain undetected
    • Threat actors use a unique approach to data encryption and decryption: hybrid method combining custom algorithms and standard AES encryption
  • Accuracy
    • Mandrake first identified in May 2020, active for at least four years
    • Five apps on Google Play with over 32,000 downloads contained Mandrake samples
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication