Cybersecurity researchers have discovered a new version of the Android spyware Mandrake lurking in apps in the Google Play store.

As reported by BleepingComputer, Mandrake was first discovered by Bitdefender in 2020, but before that it had been operating in the wild since at least 2016. Since then, Kaspersky has discovered new variants of Android spyware that are better at staying undetected.

In a new report, researchers at the cybersecurity firm explain that this new version of Mandrake managed to sneak into the Play Store with five apps submitted in 2022. Remarkably, most of the apps were available for at least a year, and one held out for two years before it was finally discovered.

If you own one of the best Android phones and are concerned about this resurfacing threat, here's everything you need to know about Mandrake Spyware and how to keep yourself safe from malware.

As of this writing, all malicious apps found to contain this new version of Mandrake spyware have been removed from the Google Play Store. However, if it is installed on a smartphone or Android tablet, it must be removed manually.

The app in question, along with how many times it has been downloaded by unsuspecting Android users: [Of these malicious apps, AirFS is the one that has eluded detection the longest and was up in the Play Store for two years until it was finally removed in March of this year. It had been up on the Play Store for two years before it was finally removed in March of this year. According to Kaspersky, Android users downloaded these apps primarily in the UK, Canada, Germany, Italy, Mexico, Spain, and Peru.

The malicious apps spreading the Mandrake spyware behave a bit differently than typical Android malware; instead of putting malicious logic into the app's DEX file, Mandrake uses OOLVM to obfuscate the " It hides the first step in a native library called "libopencv_dnn.so. [This library, once installed on the potential victim's Android phone, exports the functions used to decrypt and load into memory the second-stage loader DEX from the assets folder.

This second stage also requires the drawing of an overlay, often used in overlay attacks. However, this loader also loads a second native library (called "libopencv_java3.so") that decrypts the certificates used for secure communication with the hacker's command and control (C2) server.

Once the malicious app connects to the hacker's C2 server, it sends a device profile and receives a third stage, which is actually Mandrake spyware. The spyware can perform a wide range of malicious actions, including collecting data, recording and monitoring screens, executing commands, simulating swipes and taps, managing files, and even installing additional malicious apps.

The hackers behind this spyware have also devised a way to trick users into sideloading additional malware through APK files by displaying notifications disguised as genuine notifications from the Play Store.

Like other dangerous strains of Android malware, Mandrake can exploit Android permissions to run in the background or hide app icons so that they can secretly run in the background without being noticed.

Although all five malicious apps in question have been removed from the Play Store, cybercriminals may continue to spread spyware from Google's official app store with new apps that are harder to detect.

For this reason, you should always exercise caution when downloading or installing new apps on your Android device. Before downloading anything, one should look carefully at reviews and ratings. However, these can be fabricated, so you should also look for outside third-party reviews and video reviews that show how a particular app works before you download it.

At the same time, make sure Google Play Protect is enabled on your smartphone or tablet. But for added protection, you should also consider using one of the best Android antivirus apps with it.

Malicious apps have been a great success for hackers and other cybercriminals in the past. That is why, despite Google's best efforts to prevent apps from being uploaded to the Play Store, this threat will not go away anytime soon. For this reason, before installing a new app on an Android smartphone or tablet, one should first carefully investigate.