Android Spyware Hidden in Apps for 4 Years: ReportMandrake Malware Still Lurks in Apps in Google Play Store, Bitdefender Says
A sophisticated cyber-espionage campaign using spyware called Mandrake has been targeting Android users for at least four years, with the malware hiding in apps available in the Google Play Store, according to security firm Bitdefender.
The malware has the ability to take near-total control of an infected device and can collect a range of data from the targeted Android user, according to a new Bitdefender research report. For example, it can steal passwords and usernames from banking apps and social media accounts; capture recordings and take screenshots; track GPS location data; collect and send SMS messages; and deploy a "kill switch" that wipes the malware from the device when the data collection is done.
Although the spyware first victimized Android users in Australia in 2016, it's now moved to targets in the U.S., Canada, U.K. and Europe, according to the Bitdefender report.
"We can’t accurately estimate the number of individuals affected by Mandrake,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, tells Information Security Media Group. “What we have seen so far is a small fraction of infected devices that connected to our sinkhole - more than 1,000 users. We presume that the number of victims is in the count of tens of thousands, but we don’t know how many for sure."
Bitdefender researchers told Google about which apps in the Play Store were hiding the Mandrake spyware so they could be removed. But, Botezatu notes, "new ones have already popped up - and generated more than 5,000 new installs each in several days - so we're back to square one."
Bitdefender originally found seven apps that contained the Mandrake malware: Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope and Car News. Each of these had hundreds or thousands of downloads before they were removed from the Google Play Store, the report notes.
The operators behind Mandrake went to great lengths to make these malicious app appear legitimate. For example, they used dedicated microsites and social media pages for each app and delivered fixes for bugs reported by users, according to the report.
Bitdefender also found that the operators behind the spyware avoided targeting users in Africa, nations with Arab-speaking populations and countries that formerly were part of the Soviet Union.
"This is likely because its operators know that they increase their chances of being called out with every device they infect, so they attempt to exclude countries where compromised devices are less likely to bring them profitable results," Botezatu says.
While this type of spyware is sophisticated enough to have been developed by nation-state threat actors, Botezatu says it appears that the Mandrake operators are likely financially motivated fraudsters. He notes that in addition to stealing banking credentials, the malware can intercept SMS messages, which some banks use for the two-factor authentication process for accessing accounts.
To infect a device, the Mandrake malware goes through several stages to help hide its activities, the Bitdefender researchers discovered.
Once a malicious app is downloaded from the Google Play Store, it acts as a dropper for the main payload, which is the Mandrake spyware. The dropper, however, waits a period of time before contacting the operators and installing the malware, according to the report.
First, the dropper lays the groundwork for the malware, including unlocking the screen to connect and disconnect the Wi-Fi; collecting device details, including operating system version, battery level and SIM card details; and determining if the victim is a valid target, according to the report.
Before installing the Mandrake core, the dropper also enables GPS tracking and sends contact information to the command-and-control server, the report notes.
In the final stage, the Mandrake core is downloaded onto the victim's device, which then grants itself a string of permissions to gain administrative privileges. The malware achieves this by modifying regions of the screen to change what the victim sees, tricking them into enabling additional permissions.
After altering the permissions, the malware can then set itself as the default message application, enabling it to collect and send SMS messages to the command-and-control server, forward incoming calls as well as hide and send messages that are typed by the operators.
Once the operators have the data that they need, the kill switch is initiated and the malware is wiped from the device, the report notes.
"The malware advances from one step to another in a manual way, and only after its master decides that the victim device is valuable enough to risk deployment of the 'loader' or 'core' components," Botezatu says. "This is the opposite of what normal malware does, as Mandrake refuses to infect until instructed otherwise. It avoids sandboxes or automated environments, specific carriers and geographies, and even avoids 'uninteresting' devices."
Managing Editor Scott Ferguson contributed to this report.