Highly sophisticated malware lurked in Google’s Play Store for years, undetected

Facepalm: Mandrake, a persistent cyber threat in the Android mobile ecosystem, has resurfaced with more advanced techniques to evade security measures. Researchers first discovered Mandrake-infected apps a few years ago, and now the malware has returned with increased sophistication.

The Mandrake malware family was initially detected by Bitdefender in 2020. This Romanian cybersecurity firm identified the threat in two major infection waves, first in fake apps on Google Play from 2016 to 2017, and then again from 2018 to 2020. Mandrake was known for its ability to avoid detection by Google and infect a large number of users, potentially reaching hundreds of thousands over four years.

The initial Mandrake infections used various tactics to hide their presence. The malware was programmed to deliver its malicious payload to specific targets and included a “seppuku” kill switch to remove all traces of the infection from a device.

The fake apps housing Mandrake were fully functional decoys in popular categories like finance, automotive, and video players. Cybercriminals or third-party developers quickly addressed user-reported bugs in the Play Store comments section. Additionally, TLS certificates were utilized to conceal communication between the malware and command and control servers.

After a period of dormancy, Mandrake has reemerged in the Android ecosystem with a new wave of stealthy infected apps that are even more challenging to detect and analyze. This “new generation” of Mandrake malware employs multiple layers of code obfuscation to evade scrutiny and bypass Google’s scanning algorithms, including tactics to counter sandbox-based analysis.

Kaspersky, the Russian security firm, observed that the Mandrake creators possess advanced coding skills, making the malware even more elusive. The most recent app harboring Mandrake was updated on March 15 and removed from the app store by month-end, evading detection by Google and other third-party entities.

Despite the new wave of decoy apps, Mandrake’s primary objective remains unchanged – stealing user credentials by recording screen activity and transmitting the data to command and control servers. The malware can also download and execute additional malicious payloads.

Kaspersky has not disclosed further details about the Mandrake authors or their motivations. The security company identified five different apps hosting the malware, all of which were eventually removed from the Play Store by Google.