According to the cybersecurity company, five apps that were available on Google Play from 2022 to 2024 contained the new version of Malware. They were collectively downloaded over 32,000 times, predominantly by users in Canada, Germany, Italy, Mexico, Spain, Peru and the UK.
Here are the names of the infected apps:
- AirFS – 30,305 installs
- Astro Explorer – 718 installs
- Amber – 19 installs
- CryptoPulsing – 790 installs
- Brain Matrix – 259 installs
Most of these apps remained available on Google Play for at least a year before being removed, with one – AirFS – getting the boot only in March 2024. Until today, none of the apps were flagged as malicious by any anti-virus provider.
The Mandrake applications employed new layers of obfuscation techniques to lie low, such as conducting malicious activities in obfuscated libraries and using certificate pinning to prevent network sniffing.
AirFS, which was downloaded the most number of times, masqueraded as a file-sharing app, but users complained it did not work and stole their data.
That’s not all these apps were capable of, with the report noting they can send device information and a list of installed apps to their masters, install more apps, change icons, and ask for permission to run in the background.
Like the earlier versions, the new Mandrake platform works in three stages. It only tries to infect victims when a target is deemed relevant. This is decided on the strength of the data.
Once a device is designated a target, the malware records the screen and collects cookies to steal credentials and “download and execute next-stage malicious applications”, which are Mandrake’s main motives.
To get you to install a new app, Mandrake sends notifications that look like they came from Google Play. With Android 13, the Restricted Settings feature was introduced to prevent sideloaded apps from requesting dangerous permission directly, but Mandrake is capable of bypassing it.
Check your phone for the aforementioned apps and if you happen to have downloaded any of them, delete them right away.
Google gave the following statement to Bleeping Computer regarding the apps:
Google Play Protect is continuously improving with each app identified. We’re always enhancing its capabilities, including upcoming live threat detection to help combat obfuscation and anti-evasion techniques. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.