A newly discovered strain of multi-step Android spyware has been lurking in the background since 2016, infecting tens of thousands of users, but will not launch itself unless the malware's operator decides the victim has enough money to steal

Named Mandrake by Bitdefender's discoverers, the malware can take "complete control of the device," stealing information and cryptocurrency, breaking into bank accounts, and even factory resetting infected phones to cover its tracks

Mandrake-infected apps have been removed from the Google Play Store, but are likely still lurking in "offloaded" app markets beyond Google's reach To avoid infection, make sure your phone's settings have not been changed to accept apps from "unknown sources" and install some of the best Android antivirus apps

The first stage of Mandrake, "droppers," come in the form of benign-looking apps that actually do what they promise: Bitdefender, CoinCast on Google Play, Currency XE Converter, Car News, Horoskope, SnapTune Vid, Abfix, and Office Scanner, to name a few of them

All have now been removed from Google Play, but Tom's Guide was able to confirm that Facebook and YouTube pages promoting some of them are still up

Installing these seemingly harmless apps collects information about your device and surroundings, but otherwise does nothing terrible

If an app does not work well for its advertised purpose and you complain about it on Google Play, the malware operators apologize and make improvements

"The number of victims from this wave is estimated to be in the tens of thousands, perhaps hundreds of thousands over the entire four-year period," Bitdefender wrote in its report

However, the first stage also tricks users into allowing the installation of apps from outside the Google Play store, then downloads and installs a second stage, a "loader"

The loader lurks in the background, collecting more information about you and sending it to the malware operator If so, the loader downloads the third stage, the core Mandrake malware

"Given the complexity of the spying platform, it is assumed that all attacks are individually targeted, executed with surgical precision, and performed manually rather than automatically," Bitdefender wrote

Mandrake tricks users by displaying fake overlays on their screens, such as end-user license agreements that require consent These are tailored to different phones, screen sizes, languages, and Android versions But if you click "OK" to agree, you are really giving them administrative privileges

Mandrake then forwards all your text messages to the attacker, forwards your phone calls to other numbers, blocks incoming calls, installs or removes apps, steals your contact list, hides notifications, records your screen activity, records your Facebook and online bank account passwords, create phishing pages that exploit Gmail and Amazon credentials, and track your location

The coup de grace is a command embedded in the malware called "seppuku," named after the Japanese practice of seppuku This command factory-wipes the device, erasing all traces of malware and all user data

Because Mandrake's administrative privileges were tricked, rebooting the device or uninstalling the first-stage apps does not remove the core malware

"The only way to remove Mandrake is to boot the device in safe mode, remove the device administrator's special permissions, and uninstall it manually," Bitdefender wrote

Such sophistication, and such targeted attacks, are usually a sure sign of state-controlled espionage However, Bitdefender researchers believe that even if the operators appear to be in Russia, this is purely a crime-driven, money-grubbing operation

Following the standard pattern of Russian malware, Mandrake does not infect Android users in Russia or former Soviet republics It also avoids all of Africa, Arabic-speaking countries, and many poor countries in other regions

It also avoids installation on phones with Verizon SIM cards and on SIM cards from major Chinese cell phone companies, although the reason is unclear

The main target is Australia, followed by North America, Western Europe (and Poland), and the affluent regions of South America