An undetected variant of a well-known Android spyware has been lurking in the Google Play app store for around two years, infecting tens of thousands of devices, experts have warned.
A Kaspersky report says that in April 2024, its researchers discovered a “suspicious sample” that turned out to be a new variant of the dreaded Mandrake malware.
The new sample led the team to a total of five Android apps, which were available for two years, Kaspersky said. In total, these apps had more than 32,000 downloads. They were uploaded in 2022, and some individual apps were available for download “for at least a year,” suggesting that not all of them were available at the same time.
Hidden in cryptocurrency and astronomy applications
In any case, the malware was hiding in a Wi-Fi file-sharing app, an astronomy services app, an Amber for Genshin game, a cryptocurrency app, and a logic puzzle app. “As of July 2024, no vendor has detected any of these apps as malware, according to VirusTotal,” Kaspersky concluded, adding that Google had removed them from its app repository in the meantime.
Mandrake was first detected in 2020, when security analysts said it had likely been active since 2016. It is a sophisticated malware that steals sensitive information, gains remote control over the device, and is capable of keylogging, capturing screenshots, and exfiltrating data from devices.
The new variant included advanced obfuscation and evasion techniques, allowing it to remain undetected by security vendors. One of the techniques is the ability to move malicious functions into obfuscated native libraries using OLLVM, implement certificate pinning for secure communication with command and control (C2) servers, and run extensive checks to detect whether it is running on a rooted device or within an emulated environment.
The malware was also able to bypass Google Play security controls.
At the moment, neither app is available on Google Play, but while they were, most downloads came from Canada, Germany, Italy, Mexico, Spain, Peru and the United Kingdom.
The attackers, Kaspersky suggests, are likely of Russian origin, as all C2 domains are registered there.
