Cybercriminals who leverage Google Play as a distribution model are notoriously sloppy, leaving many clues as to their malice. As a result, their campaigns are typically short-lived. The team behind Mandrake are different. One of the most complex spyware frameworks ever to target regular Android users, Mandrake has been steadily claiming victims – and profits – over the past few years, and their malice continues to plague unsuspecting users, including users in Australia.
In early 2020, Bitdefender researchers identified a highly sophisticated Android espionage platform that had been active for at least 4 years. Mandrake –named by researchers after the malware’s references to toxic plants – is well developed and orchestrated. It is concealed in ‘dropper’ apps designed to look and feel legitimate, only to establish trust with the user and download malware onto their handset.
They take the time to set up marketing materials, websites and social media campaigns. They address users’ negative reviews by promising to iron out any annoying bugs or undesired functionality. In addition to the persuasive responses and quick fixes, the apps are also mostly ad free. They use techniques to avoid Google Play protection, like delaying malicious actions for prolonged periods. The dropper merely acts as a sentinel before downloading a loader and (ultimately) the core malware –after making sure it’s safe to unfold the attack.
The apps feature different anti-emulation or hiding techniques, making sure not to give away their purpose if running in an automated simulated environment typical of research labs. Custom views of a fake EULA will be displayed. When users swipe to read or wish to exit, they are actually tapping on a hidden ‘accept’ dialog button in the background, granting Mandrake full privileges and access to the phone’s contents. The malware even has tricked multi-factor authentication, making sure users see no suspicious activity until it’s too late.
The developers also carefully examine their demographics before launching an infection campaign, focusing closely on financially viable victims while avoiding too much attention.
Bitdefender’s new research paper, “Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years” tells the technical story behind this elusive malware and how to avoid falling victim. The research also reveals how the malicious actors behind Mandrake have renewed their focus on certain geographies in the past two years, with Australia showing up as a prominent spot on the radar.
Mandrake isn’t bullet proof. A modern security solution will detect this malware on a device before it can phone back to base with any stolen data in hand. Unfortunately, not everyone believes using a mobile security solution is necessary – until they find out the hard way. Mobile devices are a huge component of a business’s attack surface so it is essential they receive an appropriate level of cybersecurity protection.
Click here to download Bitdefender’s new research paper, “Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years”