Pierluigi Paganini May 18, 2020

Security experts discovered a highly sophisticated Android spyware platform, dubbed Mandrake, that remained undetected for four years.

Researchers from Bitdefender discovered a high-sophisticated Android spyware platform dubbed Mandrake, it was involved in highly targeted attacks against specific devices. Mandrake is an advanced cyberespionage platform, but experts believe the attacks are financially motivated.

Threat actors behind this campaign managed to fly under the radar for as long as possible. Attackers carefully selected the devices to infect and avoid compromise devices in countries that are of interest to them.

“Mandrake stood in the shadow for at least 4 years. During this time, it stole data from at least tens of thousands of users.” reads the report published by Bitdefender. “It takes special care not to infect everyone” – This is exactly what the actor did and most likely why it remained under the radar for 4 full years. Because of this strategy, the actual number of infections we were able to trace is quite low; Google Play Apps used as droppers to infect targets have only hundreds or – in some cases – thousands of downloads. It might even be possible that some of the infected users won’t face an attack at all if they present no interest to the actor.”

Most of the infections are in Australia, followed in Europe, America, and Canada. Experts observed two different waves of attacks, a first one in 2016 and 2017.

Experts detected seven malicious applications delivering Mandrake in Google Play alone, namely Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope, and Car News.

Sinkholing performed by the experts revealed about 1,000 victims during a 3-week period. The researchers estimated that the tens of thousands, and probably hundreds of thousands, were infected in the last 4 years.

During the past four years, the platform has received numerous updates, operators constantly implemented new features.

Mandrake allows attackers to gain complete control over an infected device and exfiltrate sensitive data, it also implements a kill-switch feature (a special command called seppuku (Japanese form of ritual suicide)) that wipes all victims’ data and leave no trace of malware.

“The attacker has access to data such as device preferences, address book and messages, screen recording, device usage and inactivity times, and can
obviously paint a pretty accurate picture of the victim, and their whereabouts.” continues the report. “The malware has complete control of the device: it can turn down the volume of the phone and block calls or messages, steal credentials, exfiltrate information, to money transfers and blackmailing. It can conduct phishing attacks, by loading a webpage and injecting a specially crafted JavaScript code to retrieve all data from input forms.”

The list of targets is long and includes an Australian investment trading app, crypto-wallet apps, the Amazon shopping application, Gmail, banking software, payment apps, and an Australian pension fund app.

The malware avoids the detection delaying the activities and working in three stages: dropper, loader, and core.

The dropper is represented by the apps published in Google Play, while it is not possible to determine when the loader and the core are delivered.

The malware implements evasion techniques such as anti-emulation and leverages administrator privileges and the Accessibility Service to achieve persistence.

The report contains technical details about the threat, including Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – Mandrake, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]