Insights, news, education and announcements from PolySwarm

Mandrake Android Spyware

Written by The Hivemind | Aug 5, 2024 6:46:26 PM

Executive Summary

A new version of Mandrake Android spyware was observed being distributed by multiple Android APKs on the Google Play store earlier this year.

Key Takeaways

  • A new version of Mandrake Android spyware was observed being distributed by multiple Android APKs on the Google Play store earlier this year.
  • The current Mandrake campaign has likely been active since 2022. 
  • Affected Android apps include AirFS, Astro Explorer, Amber, CryptoPulsing, and Brain Matrix.
  • The new version of Mandrake includes an updated infection chain and uses new obfuscation layers and evasion techniques to thwart detection and analysis.

What is Mandrake?

A new version of Mandrake Android spyware was observed being distributed by multiple Android APKs on the Google Play store earlier this year. Kaspersky Securelist recently reported on this activity. 

Mandrake is a spyware targeting Android devices. It was first seen in the wild in 2016, with previous campaigns active in 2016-2017 and 2018-2020. Earlier this year, Kaspersky observed new Mandrake samples from a campaign that was likely active since 2022. Affected Android apps include AirFS, Astro Explorer, Amber, CryptoPulsing, and Brain Matrix. The app with the most downloads was AirFS, which was disguised as a file-sharing app. The five infected applications have over 32,000 downloads, and the malicious application has remained undetected by most security vendors. The highest number of downloads were from users in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. 

The Mandrake infection chain uses three components: a dropper, a loader, and the core malware. First, stage malicious activity is hidden in a native library, libopencv_dnn.so, making it harder to analyze and detect. This library exports functions and decrypts the second-stage loader from the assets/raw folder. 

According to Kaspersky, when the second stage is executed, “the second-stage native library path is added to the class loader, and the second-stage main activity and service start.” The application then requests permission to draw overlays. The second stage library is loaded, and a certificate used for C2 communications is decrypted. The malware communicates device details and other data to the C2. If the threat actors deem the device a worthy target, they issue a command to download and run the core component of Mandrake. The third stage containing the Mandrake malware is then downloaded, decrypted, and executed. 

Mandrake has a variety of spyware capabilities, including capturing screenshots, screen recording, cookie theft, and running automated actions on a page. It can also steal user credentials and download and execute next stage malware. Mandrake retrieves the APKs for follow-on malware from the C2 and prompts the user with what appears to be a legitimate Google Play notification, tricking them into manually clicking the notification, which initiates malware installation. Mandrake is clever in bypassing “Restricted Settings”, using a session-based package installer to install next stage malware. The new version of Mandrake also has new obfuscation layers and evasion techniques to thwart detection and analysis.

IOCs

PolySwarm has multiple samples of Mandrake.

 

31fdbea5531b06d44932bebf215a0282969c0c367827cd19f58df12dbacd8a16

07fec5af5336dd2fbb0b0cb2277a279afb0ab1949dd9fe9e6c0ecfdc02908212

 

You can use the following CLI command to search for all Mandrake samples in our portal:

$ polyswarm link list -f Mandrake

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.