Android users beware!
A new variant of the notorious spyware Mandrake has been discovered lurking in five applications available on the Google Play Store. These malicious apps managed to bypass Google Play’s security measures and garnered over 32,000 downloads before being taken down.
Researchers at Kaspersky first identified Mandrake in 2020, highlighting its advanced spying techniques. This latest version employs improved obfuscation methods, allowing it to sneak past Google Play’s defenses. The malware hid within seemingly legitimate apps like file sharing tools, astronomy viewers, and cryptocurrency trackers.
The malicious apps were available for download between 2022 and 2024, with the most popular app, AirFS, accumulating over 30,000 downloads. Thankfully, Google removed all five identified apps by March 2024.
Mandrake is a cunning piece of malware. Unlike most Android threats, it conceals its malicious code within a heavily obfuscated library, making detection difficult. Once installed, the app gradually downloads additional stages, establishing a secure communication channel with its command and control center.
This allows the attacker to steal a wide range of data from the infected device, including screen recordings, app usage, and even files. Mandrake can even mimic Google Play notifications to trick users into installing additional malware.
Kaspersky researchers warn that Mandrake might reappear in new, even more disguised apps. To stay safe, Android users should only download apps from trusted developers, read reviews carefully, avoid granting unnecessary permissions, and ensure Google Play Protect is always active.
Google acknowledges the issue and assures users that Google Play Protect is constantly evolving to combat such threats. The upcoming live threat detection feature promises to further strengthen defenses against obfuscated malware.
