An undetected variant of a known Android spyware was reprotedly hiding on the Google Play app store for roughly two years, infecting tens of thousands of devices, experts have warned.
A report from Kaspersky says that in April 2024, its researchers uncovered a “suspicious sample” which turned out to be a new variant of the dreaded Mandrake malware.
The new sample led the team to a total of five Android apps, which were available for two years, Kaspersky said. Cumulatively, these apps had more than 32,000 downloads. They were uploaded in 2022, with individual apps being available for download “for at least a year”, suggesting that not all were available at the same time.
Hiding in cryptocurrency and astronomy apps
Regardless, the malware was hiding in a Wi-Fi file sharing app, an astronomy services app, an Amber for Genshin game, a cryptocurrency app, and an app with logic puzzles. “As of July 2024, none of these apps have been detected as malware by any vendor, according to VirusTotal,” Kaspersky concluded, adding that Google removed them from its app repository in the meantime.
Mandrake was first spotted in 2020, when security analysts said that it was most likely active since 2016. It is a sophisticated malicious software that steals sensitive information, gains remote control over the device, and is capable of keylogging, capturing screenshots, and exfiltrating data from the devices.
The new variant came with advanced obfuscation and evasion techniques, which allowed it to remain undetected by security vendors. One of the techniques is the ability to shift malicious functions to obfuscated native libraries using OLLVM, to implement certificate pinning for secure communication with command and control (C2) servers, and to run extensive checks to detect whether it is is operating on a rooted device or within an emulated environment.
The malware was also able to bypass Google Play’s security checks, as well.
At the moment, none of the apps are available in Google Play, but while they were, most of the downloads were coming from Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
The attackers, Kaspersky suggests, are most likely of Russian origins, since the C2 domains are all registered there.