Security experts looking into cybercrime have found a new version of Mandrake, an Android spyware that snuck into the Google Play Store without being caught for two years. This tricky malware was spotted in five apps that got over 32,000 downloads together before Google took them down.
The team at Kaspersky showed that the updated Mandrake now influences how it hides and avoids detection. It does this by moving its harmful functions to hidden native libraries using certificate pinning to talk to its control servers and doing lots of checks to spot rooted devices or fake environments.
The malware, which has been around since 2016, but researchers first documented it in 2020, now uses OLLVM to conceal its main functions. It also has an impact on various sandbox evasion and anti-analysis techniques to stop security experts from studying its code.
Mandrake spreads in three phases: a dropper, a loader, and a core component. The second phase gathers device info and can ask for permission to overlay attacks and work in the background. The last phase can load URLs in WebView, start remote screen sharing, and capture the device screen to steal credentials and spread more malware.
To get around Android 13’s “Restricted Settings” feature, which stops sideloaded apps from asking for dangerous permissions, Mandrake uses a session-based package installer.
Google has fought back by beefing up its Play Protect defenses. This includes adding live threat detection to fight obfuscation and evasion tricks. The company says Android users have automatic protection against known versions of this malware through Google Play Protect, which is on by default on devices with Google Play Services.
