A mysterious family of Android malware with a proven track record of effectively hiding its extensive spying activities has been rediscovered in Google Play, after hiding in plain sight for more than two years.
The apps, disguised as file-sharing, astronomy and cryptocurrency apps, hosted Mandrake, a family of highly intrusive malware that security firm Bitdefender exposed in 2020. Bitdefender said the apps appeared in two waves, one in 2016 through 2017 and again in 2018 through 2020. Mandrake’s ability to remain undetected at the time was the result of some unusually rigorous steps to stay under the radar. They included:
- Not working in 90 countries, including the former Soviet Union
- The final cargo is only delivered to victims who have been selected with the utmost care
- Includes a kill switch that the developers called seppuku (Japanese form of ritual suicide), which completely wipes all traces of the malware
- Fully featured Lok apps in categories like Finance, Auto & Vehicles, Video Players & Editors, Art & Design, and Productivity
- Quick fixes for bugs reported in comments
- TLS certificate pinning to hide communications with command and control servers.
Lurking in the shadows
Bitdefender estimated the number of victims to be in the tens of thousands for the 2018 to 2020 wave and “likely hundreds of thousands over the full four-year period.”
Following Bitdefender’s 2020 report, Mandrake-infected apps seemed to disappear from Play. Now, security firm Kaspersky has reported that the apps have resurfaced in 2022, and have thus far gone unnoticed. In addition to a new round of decoy apps, Mandrake operators have also implemented several measures to better disguise their malicious behavior, avoid analysis of “sandboxes” used by researchers to identify and study malware, and combat malware protections introduced in recent years.
“The Mandrake spyware is evolving dynamically, improving its methods of obfuscation, sandbox evasion, and bypassing new defense mechanisms,” Kaspersky researchers Tatyana Shishkova and Igor Golovin wrote. “While the applications from the first campaign remained undetected for four years, the current campaign lurked in the shadows for two years, while still being available for download on Google Play. This highlights the formidable skills of the threat actors, and also the fact that stricter checks on applications before they are released to the market only result in more sophisticated, harder-to-detect threats sneaking into official app marketplaces.
A key feature of the latest generation of Mandrake is multiple layers of obfuscation designed to evade analysis by researchers and bypass the screening process that Google Play uses to identify malicious apps. All five of the apps Kaspersky discovered first appeared in Play in 2022 and remained available for at least a year. The most recent app was updated on March 15 and removed from the app market later that month. As of early this month, none of the apps had been detected as malicious by any major malware detection provider.
One method of obfuscation was to move malicious functionality into native libraries, which were obfuscated. Previously, Mandrake stored the first-stage malicious logic in what was known as the application’s DEX file, a type of file that is easy to analyze. By changing the location to the native library libopencv_dnn.so, the Mandrake code became harder to analyze and detect, because the native libraries were harder to inspect. By then obfuscating the native library using the OLLVM obfuscator, Mandrake apps were even more stealthy.
Mandrake’s primary goals are to steal user credentials and download and execute malicious applications in the next stage. However, these actions are only performed in late-stage infections that are only executed on a small number of carefully selected targets. The primary method is by recording the screen while a victim is entering an access code. Screen recording is initiated by a control server sending commands such as start_v, start_i, or start_a. The researchers explained:
When Mandrake receives a start_v command, the service is started and the specified URL is loaded into a webview owned by the application. This webview contains a custom JavaScript interface. The application uses this interface to manipulate the loaded web page.
While the page is loading, the application establishes a websocket connection and starts taking screenshots of the page at regular intervals, encoding them to base64 strings and sending them to the C2 server. The attackers can use additional commands to adjust the frame rate and quality. The threat actors call this “vnc_stream”. At the same time, the C2 server can send back control commands that allow the application to perform actions such as swiping to a specific coordinate, changing the size and resolution of the web view, switching between desktop and mobile page display modes, enabling or disabling JavaScript execution, changing the User Agent, importing or exporting cookies, going back and forward, refreshing the loaded page, zooming the loaded page, and so on.
When Mandrake receives a start_i command, it loads a URL into a webview, but instead of starting a “VNC” stream, the C2 server starts recording the screen and saving the recording to a file. The recording process is similar to the “VNC” scenario, but screenshots are saved to a video file. In this mode, too, the application waits for the user to enter their credentials on the webpage and then collects cookies from the webview.
The start_a command allows you to perform automated actions in the context of the current page, such as swiping, clicking, etc. If this is the case, Mandrake will download automation scenarios from the URL specified in the command options. In this mode, the screen will also be recorded.
Screen captures can be uploaded to the C2 using the upload_i or upload_d commands.
Neither Kaspersky nor Bitdefender provided attribution for the group or what their motives are for distributing spyware and a credential-stealing app as sophisticated as Mandrake. The apps Kaspersky discovered are listed in the table below. Google has since removed them from Play. Additional indicators of compromise can be found in the Kaspersky post.
| Packaging name | Application name | MD5 | Developer | Published | Last updated on Google Play | To download |
| com.airft.ftrnsfr | Air FS | 33fdfbb1acdc226eb177eb42f3d22db4 | the9042 | April 28, 2022 |
Mar. 15, 2024 |
30,305 |
| com.astro.dscvr | Astro-discoverer | 31ae39a7abeea3901a681f847199ed88 | shevabad | 30th of May, 2022 |
June the 6th, 2023 |
718 |
| com.shrp.sight | Amber | b4acfaeada60f41f6925628c824bb35e | kodaslda | February 27, 2022 |
August 19, 2023 |
19 |
| com.cryptopulsing.browser | CryptoPulses | e165cda25ef49c02ed94ab524fafa938 | Shevabad | November 2nd, 2022 |
June the 6th, 2023 |
790 |
| com.brnmth.mtrx | Brain Matrix | – | kodaslda | April 27th, 2022 |
June the 6th, 2023 |
259 |
