Kaspersky experts have discovered a new spyware campaign that spreads the malware ‘Mandrake’ in Google Play. The malware disguises itself as legitimate apps for cryptocurrencies, astronomy or utility tools.
Five of the apps found by Kaspersky have been available on Google Play for two years and have been downloaded more than 32,000 times; Mandrake uses advanced obfuscation and evasion techniques to avoid detection by security vendors.
Mandrake is an advanced espionage platform for Android that was first identified in 2020 and has been active since at least 2016. In April 2024, Kaspersky experts investigated a suspicious sample in which Mandrake had new functionalities. Its main differentiator from the previous campaign: advanced obfuscation and evasion techniques, including
- move harmful functions to native libraries with OLLVM,
- Use certificate pinning for secure communication with C2 servers (command and control) and
- check whether Mandrake is operating on a rooted device or within a virtual environment.
According to VirusTotal, none of the apps were detected as malware by security providers until July 2024. Mandrake disguised itself in the Google Play Store as apps for file sharing via Wi-Fi, astronomical services, cryptocurrency and logic puzzles, as well as a game for the character “Amber” from the RPG “Genshin Impact”. In addition to Germany, most of the more than 32,000 downloads come from Canada, Italy, Mexico, Spain, Peru and the United Kingdom; the apps are no longer available on Google Play.
Due to their similarity to previous C2 campaigns registered in Russia, Kaspersky’s experts assume that this is most likely the same threat actor as in Bitdefender’s 2016 detection report.
“After evading detection for four years in its original form, the current Mandrake campaign in the Google Play Store also remained undetected for two years. This shows the advanced capabilities of the threat actor behind the malware,” commented Tatyana Shishkova, Lead Security Researcher in Kaspersky’s Global Research and Analysis Team (GReAT). “It shows a worrying trend: as regulations and security controls tighten, threats attempting to infiltrate official app stores are becoming more sophisticated and therefore more difficult to detect.”
Kaspersky recommendations for protection against spyware
- Only download apps and software from official stores, even if they do not guarantee complete protection. Avoid third-party stores that are more likely to offer malicious or compromised apps. Always check the comments and ratings before downloading.
- Install and update reliable antivirus and malware software – such as Kaspersky Premium, which protects against known and unknown threats – and regularly scan all devices for potential threats.
- Keep yourself regularly informed about current threats, tactics and techniques used by cyber criminals. Beware of unexpected requests, suspicious offers or urgent demands for personal or financial information.
Further information on the Mandrake campaign is available here.
(vp/Kaspersky)