Kaspersky researchers have identified a new campaign distributing Mandrake spyware through Google Play. The malware, disguised as legitimate apps like cryptocurrency tools and astronomy services, managed to evade detection for two years and amassed over 32,000 downloads.
First identified in 2020, Mandrake is a sophisticated Android espionage platform. This new variant employs advanced techniques to bypass Google Play’s security measures and hinder analysis. These include obfuscating malicious code within native libraries and implementing secure communication channels with command-and-control servers. Additionally, the malware checks for signs of a rooted device or emulated environment to avoid detection.
The five identified apps, available from 2022 to 2024, included file sharing, astronomy, gaming, cryptocurrency, and logic puzzle functionalities. As of July 2024, these apps remain undetected by other security vendors according to VirusTotal.Downloads were concentrated in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
“This campaign highlights the evolving threat landscape,” comments Tatyana Shishkova, Lead Security Researcher at Kaspersky. “While initial versions of Mandrake evaded detection for four years, this latest variant remained hidden for an additional two years on Google Play. It demonstrates the growing sophistication of attackers targeting official app stores.”
Kaspersky recommends downloading apps only from official marketplaces and exercising caution when installing software, even from reputable sources. Users are advised to check app reviews and ratings, maintain updated security software, and stay informed about common cyber threats.