Google Play is hit by a third Mandrake malware invasion – they’ve been hiding in plain sight for years

An infestation of applications with built-in Mandrake spyware was discovered in the Google Play Store, Kaspersky Lab reported. This is the third wave of the attack – the first two took place in 2016–2017 and 2018–2020, and were discovered by Bitdefender.

Image source: Ivana Tomášková / pixabay.com

The developers of the malware have taken strict measures to prevent its detection. The spyware did not work in 90 countries around the world, including the countries of the former USSR. The delivery of the malicious payload at the last stage was carried out only directly to selected victims. The applications contained a kill switch that could quickly eliminate all traces of malicious activity. Mandrake was distributed through full-featured cover applications – they were published in the categories of finance, cars and vehicles, video players and editors, art and design, and work applications. The developers of these applications quickly corrected errors in the operation of officially declared functions, which users reported in the Play Store comments. TLS certificates were used to communicate with management servers.

In the 2018–2020 wave alone, tens of thousands of people became victims of Mandrake, Bitdefender estimated, and over the entire four-year period there could be hundreds of thousands of them. As it now turns out, there was a third wave of spyware distribution – it began in 2022, and Kaspersky Lab experts were able to detect it only in April 2024. Now these were applications on astronomy, cryptocurrencies and a file sharing tool. The malware developers took additional measures that masked its behavior and prevented its detection and analysis in sandboxes. In particular, it was obfuscation – complicating the code for analysis while maintaining functionality – as well as transferring malicious logic to its own libraries.

Examples of applications with Mandrake in the Google Play Store. Image source: securelist.ru

Mandrake’s main goals are to steal user credentials and download and execute subsequent stage malicious payloads. But these actions were performed only in the late stages of infection and only for carefully selected targets. The main method is to record the screen when the victim enters a password. To do this, the spyware developers have provided three scenarios.

In the first case, Mandrake took screenshots and sent them at regular intervals to the server, encoding the screenshots into base64 strings – in which attackers could issue additional commands to change the frequency of screenshots and change their quality. Other remote commands were also provided: swipe to a specified screen coordinate, change the size and resolution of an open web page, switch between desktop and mobile versions of a resource, enable or disable JavaScript, change the User Agent line, import or export cookies, go back and forth , page updating, scaling and other functions. The second scenario differed from the first in that screenshots were recorded locally to a video file; and in the third case, a script of actions was received from the server in a view on a set page, and they were recorded. The screen recordings were subsequently uploaded to the server using the appropriate commands.

Neither Bitdefender nor Kaspersky Lab said who the alleged developer of Mandrake is or what his motives were. By now, all applications with spyware have already been removed from the Play Store.