Researchers from Kaspersky laboratory revealed yesterday, July 29, the emergence of a new version of the Spy Mandrake (Mandragor) malware. This updated version has managed to infiltrate Google Play by utilizing advanced methods to evade protective systems. The malware made its way into the app store through five distinct applications that were loaded back in 2022.
Mandrake was initially documented by Bitdefender in 2020, where its harmful impact surprised specialists due to its successful concealment in Google Play for four years. The latest discovery sheds light on a list of applications flagged by the Kaspersky Laboratory, notably mentioning the most popular ones that were only removed by Google in March of this year: airfs with 30,305 downloads, Astro Explorer with 718 downloads, amber with 19 downloads, Cryptopulsing with 790 downloads, and Brain Matrix with 259 downloads.
The majority of downloads of these infected applications were observed in countries like Canada, Germany, Italy, Mexico, Spain, Peru, and Great Britain. Airfs emerged as the most popular infected application among the identified list.
Unlike typical Android malware that embeds malicious logic within the application file, Mandrake conceals its initial stage within the native library “Libopencv_dnn.so”, heavily protected using OLLVM. Upon installation, this library initiates functions for decryption and loading the second stage from the DEX file. Subsequently, the application prompts permission to display notifications and loads the second native library “Libopencv_Java3.so” to decrypt the certificate for secure communication with the command server.
Upon establishing a connection with the server, the application transmits the device profile and receives the primary component of Mandrake if the device meets the criteria. Once activated, the spyware can execute various harmful actions, including data collection, screen recording, command executions, gesture simulation, file management, and application installations.
The new version of Mandrake features enhanced protection mechanisms like Frida tools availability check, Root status verification on the device, and system partition inspection in read-only mode. Android users are advised to download applications solely from trustworthy publishers, scrutinize reviews prior to installation, refrain from granting suspicious permissions, and activate Google Play Protect on their devices. The Google Play Protect function is continually upgraded to shield users from known variants of diverse spyware, notifying or barring applications demonstrating dubious behavior.