“Mandrake” was the name Bitdefender gave to a new type of Android spyware in 2020. At the time, it had gone undetected for four years. A new Mandrake variant has now been detected by Kaspersky, two years after it began its spread.
In total, the rogue software has been downloaded 32,000 times. The only culprit with a somewhat sizable impact was AirFS, an app that appeared to make Wi-Fi file sharing possible and nothing else. In reality, the app was sophisticated spyware under a new, more sophisticated disguise. For example, the payload hid within conventional native libraries. Installing such libraries is also done by legitimate Android apps, so it is not noticed when a new one is added.
This library then decrypts a second stage, a DEX loader which loads into memory. Less sophisticated malware variants would immediately opt for this course of action, but security analysts can quite easily detect such a move. Through a second native library called “libopencv_java3.so,” the spyware communicates with a command-and-control (C2) server.
Scam continues
Once the installation is complete, the cybercriminals behind Mandrake deceive their victims multiple times. Fake Play Store notifications urge users to download new files: these are new rogue APKs for additional damage, although it is unclear what these APKs were doing. It may be that the cybercriminals wanted to sell this level of access to phones to fellow attackers.
The Mandrake spyware also recognizes whether the Frida toolkit is present on the Android device. It’s a solution widely used by security specialists to detect malicious behaviour. Mandrake’s other checks ensure that the Android phone in question is a suitable target with all the required permissions. Once the user approves the app to run in the background, the attackers have completed their infiltration.
Impact could have been much bigger
The AirFS app was the only somewhat successful app with 30,305 downloads. It has since been removed from the Google Play Store, as have the four other apps that too tried to sneakily send Mandrake to users. One boon for AirFS was that it had dozens of reviews and, at 2.9 stars, seemed competent enough to install without a second thought. For fairly basic functionality like file sharing over Wi-Fi, it is obvious that a user would not think too long about the specific app needed to achieve the task. Therefore, a mediocre rating does not deter users, even though a 2.9 rating will push it down in the search results.
Speaking to BleepingComputer, Google says it is continuously improving Play Protect, its defense mechanism against rogue apps. Still, it happens just as regularly that apps get past this line. The diverse nature of the Android ecosystem seems to make it impossible to contain malicious app behavior. Users who unsuspectingly run now-detected malware get a notification from Google, the company informs. The annoying thing is that cybercriminals also pretend to be Google with credible push notifications, a phenomenon that for now cannot be eradicated.
Also read: How Apple’s location API gives away Wi-Fi network data worldwide