An undetected variant of a well-known Android spyware is believed to have been hiding in the Google Play App Store for about two years, infecting tens of thousands of devices, according to experts.
According to a report by Kaspersky, its researchers discovered a “suspicious sample” in April 2024 that turned out to be a new variant of the dreaded Mandrake malware.
The new sample led the team to a total of five Android apps, which were available for two years, Kaspersky said. Cumulatively, these apps had more than 32,000 downloads. They were uploaded in 2022, with individual apps available for download “for at least a year,” suggesting that not all the apps were available at the same time.
Hidden in cryptocurrency and astronomy apps
In any case, the malware was hidden in a Wi-Fi file-sharing app, an astronomy service app, an Amber for Genshin game, a cryptocurrency app, and a logic puzzle app. “According to VirusTotal, none of these apps have been detected as malware by any vendor as of July 2024,” Kaspersky concluded, adding that Google has removed them from its app repository in the meantime.
Mandrake was first spotted in 2020, with security analysts saying it had likely been active since 2016. It is an advanced malware that steals sensitive information, takes remote control of the device, and is capable of keylogging, taking screenshots, and exfiltrating data from the devices.
The new variant came with advanced obfuscation and evasion techniques, allowing it to remain undetected by security vendors. Among the techniques are the ability to move malicious functions to obfuscated native libraries using OLLVM, implement certificate pinning for secure communication with command and control (C2) servers, and perform extensive checks to detect whether it is running on a rooted device or within an emulated environment.
The malware was also able to bypass Google Play’s security checks.
Currently, none of the apps are available on Google Play, but when they were, the majority of downloads came from Canada, Germany, Italy, Mexico, Spain, Peru, and the United Kingdom.
Kaspersky suspects that the attackers are most likely of Russian origin, since all C2 domains are registered there.