Mandrake

Infosec researchers have uncovered a high-end campaign targeting Android users located in Australia with a tool called Mandrake. Of course, the cyber crooks behind the Mandrake hacking tool may choose to change their focus and target users from a different location in future campaigns. The Mandrake malware first emerged in 2016. Ever since malware analysts spotted the Mandrake threat, its creators have been introducing regular updates. The creators of the Mandrake threat have added new features, optimized old ones, removed unnecessary modules, and overall improved the hacking tool to ensure it remains very potent.

Mandrake Collects Sensitive Data from Infected Devices

The Mandrake malware can be distributed to thousands upon thousands of users easily. However, its operators are not taking the mass-spam approach. Instead, they appear to pick their targets carefully. There are only about 500 copies active currently. The Mandrake threat can be classified as spyware, and it would seem that its authors are only deploying it to targets that have been monitored for a while.

If the Mandrake spyware compromises your Android device, it will be able to perform a large variety of tasks. Since the Mandrake threat is listed as spyware, its goal is to collect important information from the targeted hosts. It is likely that the Mandrake spyware allows its operators to get their hands on the users:

• Login credentials.
• Contacts list.
• Images and videos stored in their gallery.
• Bank account information.
• Payment details.
• Personal conversations

Having in mind the wide array of information that the Mandrake spyware collects, it is likely that its operators may be using it for both blackmailing operations and financial fraud campaigns.

Since every targeted user seems to be approached by the attackers differently, it is likely that the victims are selected very carefully. It is likely that the Mandrake campaign is carried out by a highly-skilled and very experienced group of cybercriminals who know what they are doing exactly. Make sure your Android device is protected by a genuine, reputable anti-virus application.

Evolved Mandrake Mobile Malware Targets Android Users

A new iteration of the highly sophisticated Android spyware, Mandrake, has been discovered lurking within five applications on the Google Play Store. This spyware managed to remain undetected for two years.

Stealthy Infiltration: The Apps and Their Reach

The five infected applications were downloaded more than 32,000 times before being removed from the Google Play Store. The majority of these downloads originated from countries including Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K.

Advanced Evasion Tactics

The new samples of Mandrake featured advanced layers of obfuscation and evasion techniques:

• Moving malicious functionality to obfuscated native libraries
• Using certificate pinning for secure command-and-control (C2) communications
• Performing numerous tests to detect if the malware was running on a rooted device or in an emulated environment

Anti-Analysis Techniques

Mandrake's updated variants utilized OLLVM (Obfuscation LLVM) to conceal their main functionality. Additionally, they incorporated various sandbox evasion and anti-analysis techniques to prevent detection by malware analysts.

The Infected Applications

The five applications found to contain Mandrake spyware are:

AirFS (com.airft.ftrnsfr)

Amber (com.shrp.sght)

Astro Explorer (com.astro.dscvr)

Brain Matrix (com.brnmth.mtrx)

CryptoPulsing (com.cryptopulsing.browser)

Multi-Stage Infection Process

Stage One: The Dropper

The initial infection begins with a dropper that launches a loader. This loader executes the core component of the malware after downloading and decrypting it from a C2 server.

Stage Two: Information Gathering

The second-stage payload collects information about the device, including:

• Connectivity status
• Installed applications
• Battery percentage
• External IP address
• Current Google Play version

Additionally, it can wipe the core module and request permissions to draw overlays and run in the background.

Stage Three: Credential Theft and More

The third stage supports additional commands, such as:

Loading a specific URL in a WebView

Initiating a remote screen-sharing session

Recording the device screen to steal credentials and drop more malware

Bypassing Android 13's 'Restricted Settings'

Mandrake employs a 'session-based' package installer to bypass Android 13's 'Restricted Settings' feature, which prohibits sideloaded applications from directly requesting unsafe permissions.

Conclusion: An Ever-Evolving Threat

Researchers describe Mandrake as a dynamically evolving threat, continuously refining its techniques to bypass defense mechanisms and evade detection. This showcases the threat actors' formidable skills and highlights the necessity for stricter controls for applications before they are published on official app marketplaces.