A mysterious family of Android malware with a demonstrated history of effectively concealing its myriad spying activities has once again been found in Google Play after more than two years of hiding in plain sight.
The apps, disguised as file-sharing, astronomy, and cryptocurrency apps, hosted Mandrake, a family of highly intrusive malware that security firm Bitdefender called out in 2020. Bitdefender said the apps appeared in two waves, one in 2016 through 2017 and again in 2018 through 2020. Mandrake’s ability to go unnoticed then was the result of some unusually rigorous steps to fly under the radar. They included:
- Not working in 90 countries, including those comprising the former Soviet Union
- Delivering its final payload only to victims who were extremely narrowly targeted
- Containing a kill switch the developers named seppuku (Japanese form of ritual suicide) that fully wiped all traces of the malware
- Fully functional decoy apps in categories including finance, Auto & Vehicles, Video Players & Editors, Art & Design, and Productivity
- Quick fixes for bugs reported in comments
- TLS certificate pinning to conceal communications with command and control servers.
Lurking in the shadows
Bitdefender estimated the number of victims in the tens of thousands for the 2018 to 2020 wave and “probably hundreds of thousands throughout the full 4-year period.”
Following Bitdefender’s 2020 report, Mandrake-infected apps seemed to vanish from Play. Now, security firm Kaspersky has reported that the apps reappeared in 2022 and went unnoticed until now. Besides a new round of decoy apps, the Mandrake operators also introduced several measures to better conceal their malicious behavior, avoid analysis from “sandboxes” used by researchers to identify and study malware, and combat malware protections introduced in recent years.
“The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion, and bypassing new defense mechanisms,” Kaspersky researchers Tatyana Shishkova and Igor Golovin wrote. “After the applications of the first campaign stayed undetected for four years, the current campaign lurked in the shadows for two years, while still available for download on Google Play. This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces.