This dangerous Android spyware came back via a malicious Play Store app

This dangerous Android spyware came back via a malicious Play Store app

Cybersecurity researchers have discovered a new version of the Android spyware Mandrake lurking in apps in the Google Play store

As reported by BleepingComputer, Mandrake was first discovered by Bitdefender in 2020, but before that it had been operating in the wild since at least 2016 Since then, Kaspersky has discovered new variants of Android spyware that are better at staying undetected

In a new report, researchers at the cybersecurity firm explain that this new version of Mandrake managed to sneak into the Play Store with five apps submitted in 2022 Remarkably, most of the apps were available for at least a year, and one held out for two years before it was finally discovered

If you own one of the best Android phones and are concerned about this resurfacing threat, here's everything you need to know about Mandrake Spyware and how to keep yourself safe from malware

As of this writing, all malicious apps found to contain this new version of Mandrake spyware have been removed from the Google Play Store However, if it is installed on a smartphone or Android tablet, it must be removed manually

The app in question, along with how many times it has been downloaded by unsuspecting Android users: [Of these malicious apps, AirFS is the one that has eluded detection the longest and was up in the Play Store for two years until it was finally removed in March of this year It had been up on the Play Store for two years before it was finally removed in March of this year According to Kaspersky, Android users downloaded these apps primarily in the UK, Canada, Germany, Italy, Mexico, Spain, and Peru

The malicious apps spreading the Mandrake spyware behave a bit differently than typical Android malware; instead of putting malicious logic into the app's DEX file, Mandrake uses OOLVM to obfuscate the " It hides the first step in a native library called "libopencv_dnnso [This library, once installed on the potential victim's Android phone, exports the functions used to decrypt and load into memory the second-stage loader DEX from the assets folder

This second stage also requires the drawing of an overlay, often used in overlay attacks However, this loader also loads a second native library (called "libopencv_java3so") that decrypts the certificates used for secure communication with the hacker's command and control (C2) server

Once the malicious app connects to the hacker's C2 server, it sends a device profile and receives a third stage, which is actually Mandrake spyware The spyware can perform a wide range of malicious actions, including collecting data, recording and monitoring screens, executing commands, simulating swipes and taps, managing files, and even installing additional malicious apps

The hackers behind this spyware have also devised a way to trick users into sideloading additional malware through APK files by displaying notifications disguised as genuine notifications from the Play Store

Like other dangerous strains of Android malware, Mandrake can exploit Android permissions to run in the background or hide app icons so that they can secretly run in the background without being noticed

Although all five malicious apps in question have been removed from the Play Store, cybercriminals may continue to spread spyware from Google's official app store with new apps that are harder to detect

For this reason, you should always exercise caution when downloading or installing new apps on your Android device Before downloading anything, one should look carefully at reviews and ratings However, these can be fabricated, so you should also look for outside third-party reviews and video reviews that show how a particular app works before you download it

At the same time, make sure Google Play Protect is enabled on your smartphone or tablet But for added protection, you should also consider using one of the best Android antivirus apps with it

Malicious apps have been a great success for hackers and other cybercriminals in the past That is why, despite Google's best efforts to prevent apps from being uploaded to the Play Store, this threat will not go away anytime soon For this reason, before installing a new app on an Android smartphone or tablet, one should first carefully investigate

Categories