Bitdefender experts found Mandrake spyware in the official Android app store, which has eluded the attention of information security experts for four years (since 2016). The malware installed full control over infected devices, collected credentials, GPS from infected devices, made screen recordings and so on. At the same time, the malware carefully avoided infections in the CIS countries (Ukraine, Belarus, Kyrgyzstan and Uzbekistan), Africa and the Middle East.
Mandrake has a three-stage structure, which allowed its operators to avoid detection by Google Play security mechanisms for so long. It all started with a harmless dropper placed in the official application catalog and disguised as a legitimate application, such as a horoscope or cryptocurrency converter.
When such an application was downloaded to the victim’s device, the dropper downloaded the bootloader from the remote server. At the same time, the dropper himself was able to remotely turn on Wi-Fi, collect information about the device, hide his presence about the victim and automatically install new applications.
In turn, the bootloader was already responsible for downloading and installing Mandrake Malware directly. The malware completely compromised the target device, gave itself administrator privileges (the request for rights was disguised as a license agreement), after which it gained wide opportunities: sending all incoming SMS messages to the attackers’ server; sending messages; making calls; theft of information from the contact list; activation and tracking of the user’s location via GPS; theft of Facebook credentials and financial information; screen recording.
Malware also carried out phishing attacks on Coinbase, Amazon, Gmail, Google Chrome applications, applications of various banks in Australia and Germany, the XE and PayPal currency conversion service.
Worse, Mandrake is able to reset the infected device to the factory settings in order to erase user data, as well as all traces of the malware’s activity. When the attackers received from the victim all the information they needed, Mandrake went into the “destruction mode” and erased himself from the device.
“We believe that the number of victims of Mandrake amounts to tens or even hundreds of thousands, but we don’t know the exact number,” says Bitdefender expert Bohdan Botezatu.
The company’s researchers believe that for four years, all spyvari attacks were coordinated by its operators manually and were not fully automated, as is usually the case. They also note that Mandrake was not spread through spam, and it seems that the attackers carefully selected all their victims.
Specialists were able to trace the Mandrake developer account on Google Play to a certain Russian-speaking freelancer hiding behind a network of fake company websites, stolen IDs and email addresses, as well as fake job ads in North America.