Safety researchers have make clear a brand new iteration of Mandrake, a complicated Android cyber-espionage malware instrument. Initially analyzed by Bitdefender in Might 2020, Mandrake had operated undetected for at the least 4 years.
In April 2024, Kaspersky researchers found suspicious samples that have been confirmed to be a brand new model of Mandrake. This newest variant was hid inside 5 functions on Google Play from 2022 to 2024, amassing over 32,000 downloads whereas remaining undetected by different cybersecurity distributors.
The up to date Mandrake samples, described in an advisory printed by Kaspersky immediately, displayed enhanced obfuscation and evasion ways. Key modifications included transferring malicious capabilities to obfuscated native libraries, utilizing certificates pinning for safe communications with command-and-control (C2) servers, and implementing numerous checks to keep away from detection on rooted or emulated gadgets.
These functions reportedly remained on Google Play for as much as two years, with essentially the most downloaded app, AirFS, accumulating over 30,000 installations earlier than its elimination in March 2024.
Subtle An infection Chain
From a technical standpoint, the brand new Mandrake model operates via a multi-stage an infection chain. Initially, malicious exercise is hidden inside a local library, making it more durable to research in comparison with earlier campaigns the place the primary stage was within the DEX file.
Upon execution, the first-stage library decrypts and masses the second stage, which then initiates communication with the C2 server. If deemed related, the C2 server instructions the system to obtain and execute the core malware, which is designed to steal person credentials and deploy extra malicious functions.
Mandrake’s evasion methods have grow to be extra refined, Kaspersky warned, incorporating checks for emulation environments, rooted gadgets and the presence of analyst instruments. These enhancements make it difficult for cybersecurity specialists to detect and analyze the malware.
Notably, the menace actors behind Mandrake additionally employed a novel strategy to information encryption and decryption, using a mixture of customized algorithms and commonplace AES encryption.
“The Mandrake spy ware is evolving dynamically, bettering its strategies of concealment, sandbox evasion and bypassing new protection mechanisms. After the functions of the primary marketing campaign stayed undetected for 4 years, the present marketing campaign lurked within the shadows for 2 years whereas nonetheless obtainable for obtain on Google Play,” Kaspersky defined.
“This highlights the menace actors’ formidable expertise, and likewise that stricter controls for functions earlier than being printed within the markets solely translate into extra refined, harder-to-detect threats sneaking into official app marketplaces.”
Picture credit score: rafapress / Shutterstock.com
