The Mandrake Android spyware campaign, which was first discovered in 2020, has seemingly made an unwelcome return. In a blog post this week, Kaspersky researchers reported that they found a suspicious sample in the Google Play store this April that appeared to be a new version of the malware. After more digging, they unearthed five Android apps containing the Mandrake malware that had been available on the store for two years.
The researchers say that the new Mandrake has been upgraded with layers of obfuscation that allow it to bypass Google Play checks. As a result, threat actors were able to sneak at least five apps onto Google Play containing the malware in 2022.
Most of these infected apps were installed fewer than 1,000 times, but the fake file sharing app AirFS was installed over 30,000 times. Even more troublesome, it was available on Google Play until March 2024, at which point it was finally removed. Here’s the full list of Mandrake apps that the researchers say were on Google Play for at least a year:
- AirFS – File sharing via Wi-Fi by it9042 (30,305 downloads)
- Astro Explorer by shevabad (718 downloads)
- Amber by kodaslda (19 downloads)
- CryptoPulsing by shevabad (790 downloads)
- Brain Matrix by kodaslda (259 downloads)
According to Kaspersky, threat actors use Mandrake to steal user credentials and to download and execute next-stage malicious applications. As noted above, the latest version of Mandrake is better at hiding its true intentions from Google Play, which explains how these infected apps were able to sit unnoticed on Google’s app store for so long.
Two Kaspersky researchers explain: “The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion and bypassing new defense mechanisms. After the applications of the first campaign stayed undetected for four years, the current campaign lurked in the shadows for two years, while still available for download on Google Play. This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces.”
As Google spokespeople have told us previously, you’re protected from threats such as these as long as you have Google Play Protect active on your device. Furthermore, all five of these Android apps are no longer on Google Play.