Mandrake Malware: A Persistent Threat in the Android Ecosystem
A recent investigation by Kaspersky has unveiled a new variant of the notorious Android spyware known as Mandrake, which has infiltrated five applications available on Google Play. These apps, collectively downloaded over 32,000 times, were present on the platform for at least a year before the last one, AirFS, was removed in March 2024. The original Mandrake malware was first documented by Bitdefender in 2020, showcasing its advanced spying capabilities and active presence since at least 2016.
Kaspersky’s analysis identified the five applications harboring the Mandrake malware as:
- AirFS – File sharing via Wi-Fi by it9042 (30,305 downloads between April 28, 2022, and March 15, 2024)
- Astro Explorer by shevabad (718 downloads from May 30, 2022, to June 6, 2023)
- Amber by kodaslda (19 downloads between February 27, 2022, and August 19, 2023)
- CryptoPulsing by shevabad (790 downloads from November 2, 2022, to June 6, 2023)
- Brain Matrix by kodaslda (259 downloads between April 27, 2022, and June 6, 2023)
The majority of downloads originated from countries including Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
Evading Detection
What sets Mandrake apart from typical Android malware is its cunning approach to concealment. Instead of embedding malicious code directly into the app’s DEX file, Mandrake cleverly hides its initial stage within a native library named ‘libopencv_dnn.so,’ which is heavily obfuscated using OLLVM. Upon installation of the malicious app, this library exports functions designed to decrypt a second-stage loader DEX from its assets folder and subsequently loads it into memory.
The second stage of the malware requests permissions to draw overlays and loads another native library, ‘libopencv_java3.so,’ which is responsible for decrypting a certificate that facilitates secure communication with the command and control (C2) server. Once a connection is established, the app sends a device profile and, if the device meets certain criteria, receives the core Mandrake component (the third stage).
Once activated, the Mandrake spyware is capable of executing a variety of malicious activities, including:
- Data collection
- Screen recording and monitoring
- Command execution
- Simulation of user swipes and taps
- File management
- Installation of additional malicious apps
Notably, the malware can prompt users to install further malicious APKs by displaying notifications that mimic Google Play, thereby tricking users into downloading unsafe files under the guise of a trusted process.
In addition to its stealthy operations, Mandrake employs a session-based installation method to circumvent restrictions imposed by Android 13 and later versions regarding the installation of APKs from unofficial sources. Like many other Android malware variants, Mandrake can request permissions to run in the background and can hide the dropper app’s icon on the victim’s device, allowing it to operate undetected.
The latest iteration of Mandrake has also introduced battery evasion techniques, specifically checking for the presence of Frida, a dynamic instrumentation toolkit favored by security analysts. It further assesses the device’s root status, searches for specific binaries associated with rooting, verifies if the system partition is mounted as read-only, and checks whether development settings and ADB are enabled on the device.
While the five identified apps are no longer available on Google Play, the Mandrake threat persists, with cybercriminals continually evolving their tactics to stay ahead of detection mechanisms. As always, users are advised to exercise caution when downloading apps and to ensure their devices are protected with up-to-date security software.
