July 30, 2024 at 06:12AM
In 2022, a new version of the Mandrake Android spyware went undetected on Google Play for two years, garnering 32,000+ downloads. The advanced spyware grants attackers full control over infected devices, enabling theft of credentials, files, and money, as well as screen recording and blackmail. Kaspersky warns that the spyware’s complexity has increased to evade detection.
Based on the meeting notes, it can be summarized that a new version of the Mandrake Android spyware was detected on Google Play in 2022 and remained undetected for two years, accumulating over 32,000 downloads. The spyware, known as a sophisticated platform, was used in two previous infection waves and reappeared on Google Play in 2022 under the disguise of a file sharing app named AirFS. This application, which had over 30,000 downloads, was eventually removed from the Google Play store in March 2024. Additionally, the spyware operates in three stages: dropper, loader, and core, and collects device information and sends it to a command-and-control (C&C) server.
The spyware’s main functionality includes harvesting device and user account information, interacting with applications, allowing attackers to interact with the infected device, and installing additional modules received from the C&C. Notably, the spyware exhibits increased code complexity and emulation checks in recent versions, making it more challenging for malware analysts to analyze the code.
The spyware relies on an OpenSSL static compiled library for C&C communication and employs an encrypted certificate to prevent network traffic sniffing. Most of the 32,000 downloads came from users in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK. The meeting notes also provide related information on other spyware and malware developments.