Safety researchers have make clear a brand new iteration of Mandrake, a classy Android cyber-espionage malware device. Initially analyzed by Bitdefender in Could 2020, Mandrake had operated undetected for a minimum of 4 years.
In April 2024, Kaspersky researchers found suspicious samples that have been confirmed to be a brand new model of Mandrake. This newest variant was hid inside 5 purposes on Google Play from 2022 to 2024, amassing over 32,000 downloads whereas remaining undetected by different cybersecurity distributors.
The up to date Mandrake samples, described in an advisory revealed by Kaspersky immediately, displayed enhanced obfuscation and evasion techniques. Key modifications included transferring malicious capabilities to obfuscated native libraries, utilizing certificates pinning for safe communications with command-and-control (C2) servers, and implementing numerous exams to keep away from detection on rooted or emulated units.
These purposes reportedly remained on Google Play for as much as two years, with essentially the most downloaded app, AirFS, accumulating over 30,000 installations earlier than its elimination in March 2024.
Subtle An infection Chain
From a technical standpoint, the brand new Mandrake model operates by means of a multi-stage an infection chain. Initially, malicious exercise is hidden inside a local library, making it more durable to investigate in comparison with earlier campaigns the place the primary stage was within the DEX file.
Upon execution, the first-stage library decrypts and hundreds the second stage, which then initiates communication with the C2 server. If deemed related, the C2 server instructions the machine to obtain and execute the core malware, which is designed to steal person credentials and deploy extra malicious purposes.
Mandrake’s evasion strategies have turn out to be extra subtle, Kaspersky warned, incorporating checks for emulation environments, rooted units and the presence of analyst instruments. These enhancements make it difficult for cybersecurity specialists to detect and analyze the malware.
Notably, the menace actors behind Mandrake additionally employed a novel method to information encryption and decryption, using a mixture of customized algorithms and customary AES encryption.
Learn extra on encryption: Finish-to-Finish Encryption Sparks Considerations Amongst EU Legislation Enforcement
“The Mandrake spyware and adware is evolving dynamically, enhancing its strategies of concealment, sandbox evasion and bypassing new protection mechanisms. After the purposes of the primary marketing campaign stayed undetected for 4 years, the present marketing campaign lurked within the shadows for 2 years whereas nonetheless accessible for obtain on Google Play,” Kaspersky defined.
“This highlights the menace actors’ formidable abilities, and in addition that stricter controls for purposes earlier than being revealed within the markets solely translate into extra subtle, harder-to-detect threats sneaking into official app marketplaces.”
Picture credit score: rafapress / Shutterstock.com
