A new iteration of a sophisticated Android spyware called Mandragora was found in five apps that were available for download from the Google Play Store and remained undetected for two years.
The apps attracted a total of more than 32,000 installs before being removed from the app storefront, Kaspersky said on Monday. Most of the downloads come from Canada, Germany, Italy, Mexico, Spain, Peru and the UK
“The new samples included new levels of obfuscation and evasion techniques, such as moving malicious functionality into obfuscated proprietary libraries, using certificate pinning for C2 communication, and running a wide variety of tests to verify whether Mandrake is running on a rooted device or in an emulated environment,” the researchers Tatsiana Shyshkova and Igor Golovin said.
There was a mandrake first documented by Romanian cybersecurity vendor Bitdefender in May 2020, describing its deliberate approach to infecting multiple devices while managing to hide in the shadows since 2016.
Updated options are characterized by use OLLVM to hide core functionality while incorporating a number of sandboxing and anti-analysis techniques to prevent code execution in environments controlled by malware analysts.
The list of programs containing Mandrake is given below –
- AirFS (com.airft.ftrnsfr)
- Amber (com.shrp.sght)
- Astro Explorer (com.astro.dscvr)
- Brain Matrix (com.brnmth.mtrx)
- CryptoPulsing (com.cryptopulsing.browser)
The programs consist of three steps: a dropper that runs a loader responsible for executing the main component of the malware after it has been downloaded and decrypted from the control server (C2).
The second-stage payload is also capable of collecting information about the device’s connectivity status, installed apps, battery percentage, external IP address, and current Google Play version. Also, it can erase the main module and request permission to draw overlays and run in the background.
The third stage supports additional commands to load a specific URL into the WebView and initiate a remote screen sharing session, as well as record the device’s screen to steal victim credentials and drop more malware.
“Android 13 introduces a ‘Restricted Settings’ feature that prevents sideloading apps from directly requesting dangerous permissions,” the researchers said. “To bypass this feature, Mandrake handles the installation with a on a per-session basis‘ package installer.”
A Russian security company described Mandrake as an example of a threat that is dynamically evolving and constantly improving its techniques to bypass defense mechanisms and evade detection.
“This highlights the superior skills of threat actors, and the fact that stricter controls on apps before they are published on marketplaces only result in more sophisticated, harder-to-detect threats entering the official app marketplaces,” it said.
When reached for comment, Google told The Hacker News that it is constantly strengthening Google Play Protect as new malware is flagged, and that it is expanding its capabilities to include detection of live threats to address entanglement and anti-avoidance techniques.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services,” a Google spokesperson said. “Google Play Protect can warn users or block apps that are known to exhibit malicious behavior, even if those apps come from sources outside of Play.”
