Five Spyware Apps Removed from Google Play Store After Two Years

Apps & Games / Mobile / Android / Five Spyware Apps Removed from Google Play Store After Two Years
04 Aug 2024

Five applications, harboring potentially hazardous spyware technology, have evaded detection on the Google Play Store for a span of two years, as revealed by cybersecurity experts. This group of apps has collectively amassed over 32,000 downloads since their introduction in 2022.

The Rise of Mandrake

The spyware in question, known as “Mandrake,” has been on the radar of cybersecurity professionals since 2016. Kaspersky recently reported the emergence of a new variant of Mandrake specifically targeting Android devices, characterized by advanced layers of obfuscation and evasion techniques. According to Kaspersky, “The main distinguishing feature of the new Mandrake variant was layers of obfuscation designed to bypass Google Play checks and hamper analysis.” The firm identified five applications containing Mandrake, which have garnered a total of over 32,000 downloads.

Concerningly, the majority of these downloads have originated from the UK, alongside users in Canada, Germany, Italy, Mexico, Spain, and Peru. Once installed, the spyware possesses the capability to collect sensitive data, record and monitor user screens, and even simulate swipes and taps. In the most alarming scenarios, this could facilitate unauthorized access to private accounts, particularly banking information. Furthermore, the spyware can install additional malicious applications and generate deceptive notifications to entice users into downloading even more perilous content.

Google's Response

Kaspersky noted, “After the applications of the first campaign stayed undetected for four years, the current campaign lurked in the shadows for two years, while still available for download on Google Play.” This situation underscores the impressive skills of threat actors and suggests that stricter controls over application publishing only lead to the emergence of more sophisticated and harder-to-detect threats infiltrating official app marketplaces.

In response to these findings, the five identified apps have since been removed from the platform. Google issued a statement to BleepingComputer, asserting, “Google Play Protect is continuously improving with each app identified. We’re always enhancing its capabilities, including upcoming live threat detection to help combat obfuscation and anti-evasion techniques.” Android users benefit from automatic protection against known malware versions through Google Play Protect, which is enabled by default on devices utilizing Google Play Services. This feature can alert users or block applications exhibiting malicious behavior, even if they originate from outside the Play Store.

For those who may not have Google Play Protect activated or wish to ensure they haven’t inadvertently downloaded any of the flagged applications, a list of the apps is provided below for immediate review and deletion:

  • AirFS – File sharing via Wi-Fi – By it9042
  • Astro Explorer – By shevabad
  • Amber – By kodaslda
  • CryptoPulsing – By shevabad

This revelation serves as a stark reminder of the ever-evolving landscape of cybersecurity threats and the importance of vigilance in app downloads and installations.

Update: 04 Aug 2024