A sophisticated Android spyware campaign known as Mandrake has resurfaced on the Google Play Store, infecting over 32,000 devices between 2022 and 2024.
Mandrake has returned after a two-year break with its latest campaign. The malware stays inactive on victims’ phones for long periods to avoid detection.
The app called AirFS gained more than 30,000 installations. However, it was removed from the store in March 2024.
The infected apps, masquerading as legitimate software, include:
- AirFS (30,305 downloads)
- Astro Explorer (718 downloads)
- Amber (19 downloads)
- CryptoPulsing (790 downloads)
- Brain Matrix (259 downloads)
Mandrake is an advanced cyber-espionage platform active since at least 2016. This latest version employs sophisticated evasion techniques, including moving malicious code to obfuscated native libraries and using certificate pinning for command-and-control communications. These methods allowed the malware to remain undetected by security vendors for years while stealing sensitive user data.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Mandrake is an advanced cyber-espionage platform with powerful capabilities for compromising Android devices. Once installed, it can:
- Steal account credentials and sensitive data
- Record the device screen
- Track GPS location
- Access SMS messages and contact lists
- Install or uninstall other apps
- Initiate phone calls
- Perform screen sharing with remote access
What makes Mandrake particularly insidious is its selective targeting. The malware doesn’t indiscriminately infect every device installed; instead, it chooses victims based on factors like geographic location and device characteristics. This approach helped it stay under the radar for so long.
The files have not been detected by any antivirus software on Virustotal.
The researchers noted that “the Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion, and bypassing new defense mechanisms.”
The infection process happens in stages. At first, the “dropper” app seems harmless. Later, it downloads more parts that contain the complete dangerous payload. This multi-stage approach makes it even harder to detect the infection.
While most infections were found in Canada, Germany, and other European countries, the threat is global. Users worldwide should be cautious when downloading new or unfamiliar apps, even from official sources like Google Play.
Users are advised to be cautious when downloading new apps, especially from unknown developers. Always check app permissions carefully and be wary of apps requesting excessive access to device functions.
Google has since removed the malicious apps from the Play Store. However, users who may have installed these applications should immediately delete them and run a security scan on their devices.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo