Mandrake is a very sophisticated type of malware that targets Android devices. Once installed, often through seemingly harmless apps, this malware is able to take complete control of the device. It can steal personal information such as passwords, bank details and messages, as well as being able to execute commands remotely, making it particularly dangerous.
This malware is difficult to detect and remove because it uses advanced techniques to hide and operate undetected. Basically, it is like having an invisible thief in your phone who can do whatever he wants with your data.
Kaspersky researchers detected the recent activity of this malware, which has since evolved to evade detection systems and continue operating behind the scenes.
History and Behavior
Mandrake was first identified in 2016 by security firm Bitdefender, which immediately noticed some particularly advanced techniques. The first version of the malware operated selectively, with an exclusion list of 90 countries and distributing the payload only to very precisely chosen victims. In addition, Mandrake possessed a feature called “seppuku” which allowed it to erase all traces of the malware.
Researchers point out that Mandrake is evolving dynamically, always aiming to improve methods of concealment and circumvention. Evidence of this evolution is that new apps used to spread malware have been hidden for two years on Google Play.
Mandrake’s main goal is to steal account credentials and subsequently download and run malicious apps. These operations are performed in successive stages of compromising a device, once the malware has established a persistent presence in the system. One of the main actions is screen recording while the victim enters a passcode, a function remotely activated by specific commands sent from the control server.
A distinctive aspect of the latest version of Mandrake is the use of multiple layers of obfuscation to circumvent Google Play’s verification process. Kaspersky discovered five apps in 2022 on the Play Store that remained available for at least a year. Until earlier this month, none of these apps were detected as malicious by major antivirus tools.
Mandrake’s main goal is to steal account credentials and subsequently download and run malicious apps. These operations are performed in successive stages of compromising a device, once the malware has established a persistent presence in the system. One of the main actions is screen recording while the victim enters a passcode, a function remotely activated by specific commands sent from the control server.
After 2020, Mandrake seemed to have disappeared from Google Play. However, recent analysis by Kaspersky found that the malware reappeared in 2022, remaining undetected until today. This new version of Mandrake has a number of significant improvements, including new techniques to avoid sandbox analysis and mechanisms to bypass the latest anti-malware protections.
How to Defend Your Device
As shown by expert analysis, Mandrake is very difficult to detect. Currently, the list of infected apps already discovered is very short, but we would not be surprised if more are found in the coming weeks.
The known apps at the moment are:
- AirFS
- Astro Explorer
- Amber for Genshin
- CryptPulsing
- Brain Matrix
These apps have all been removed from the Play Store, and thanks to the Play Protect mechanism, even those who had already installed them should now be safe. However, we strongly recommend that you manually check the apps on your phone for added security.