This dangerous Android spyware has returned via malicious Play Store apps — delete them right now
Malicious apps containing the Mandrake spyware remained undetected for years
Cybersecurity researchers have discovered a new version of the Mandrake Android spyware hiding in apps on the Google Play Store.
As reported by BleepingComputer, Mandrake was first discovered by Bitdefender in 2020, but before then, it had been operating in the wild since at least 2016. Since then, Kaspersky has discovered a new variant of the Android spyware that’s better at remaining undetected.
In a new report, the cybersecurity firm’s researchers explain that this new version of Mandrake managed to sneak onto the Play Store in five apps submitted back in 2022. Surprisingly, most apps remained available for at least a year, while one held out for two years before it was eventually discovered.
If you own one of the best Android phones and are worried about this resurfaced threat, here’s everything you need to know about the Mandrake spyware and how to stay safe from malware.
Delete these apps right now
At the time of writing, all malicious apps found to contain this new version of the Mandrake spyware have been removed from the Google Play Store. However, if you have any of them installed on your smartphone or one of the best Android tablets, you must manually delete them.
Here are the apps in question, along with how many times unsuspecting Android users have downloaded them:
- AirFS - 30,305 downloads
- Astro Explorer - 718 downloads
- Amber - 19 downloads
- CryptoPulsing - 790 downloads
- Brain Matrix - 259 downloads
Of these malicious apps, AirFS is the one that managed to evade detection the longest, and it was up on the Play Store for two years before eventually being taken down back in March of this year. According to Kaspersky, Android users mainly downloaded these apps in the U.K., Canada, Germany, Italy, Mexico, Spain and Peru.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
Hiding in plain sight
The malicious apps spreading the Mandrake spyware do things a bit differently than your typical Android malware. Instead of putting malicious logic in an app’s DEX file, Mandrake hides its first stage in a native library called “libopencv_dnn.so” which is obfuscated using OOLVM.
Once installed on a potential victim’s Android phone, this library then exports functions that are used to decrypt the second-stage loader DEx from its assets folder and load it into memory.
This second stage also requests to draw overlays often used in overlay attacks. However, it also loads a second native library (called “libopencv_java3.so”), which decrypts a certificate that is used for secure communications with a hacker-controlled command and control (C2) server.
Once the malicious app is connected to the hacker’s C2 server, it sends a device profile and receives its third stage, which is actually the Mandrake spyware. The spyware can perform a wide range of malicious actions such as collecting data, screen recording and monitoring, command execution, simulating swipes and taps, managing files, and even installing additional malicious apps.
The hackers behind this spyware have also devised a way to display notifications that impersonate real ones from the Play Store to trick users into side-loading additional malware through APK files.
Just like with other dangerous Android malware strains, Mandrake abuses Android permissions to run in the background and to hide app icons so that it can sneakily operate in the background unnoticed.
How to stay safe from Android malware
While all five malicious apps in question have since been removed from the Play Store, cybercriminals could use new, harder-to-detect apps to continue spreading the spyware from Google’s official app store going forward.
For this reason, you always need to be careful when downloading and installing new apps on your Android devices. You want to look at reviews and ratings carefully before downloading anything. Still, as these can be faked, you should also look for external third-party reviews and video reviews that show a particular app in action before you download it.
At the same time, you also want to ensure that Google Play Protect is enabled on your smartphone or tablet since it can scan all your existing apps and any new ones you download for malware. For additional protection, though, you should also consider using one of the best Android antivirus apps alongside it.
Malicious apps have been very successful for hackers and other cybercriminals in the past, which is why this threat likely won’t be going away anytime soon despite Google’s best efforts to prevent them from ending up on the Play Store. This is why you need to be careful and do your research first before installing any new apps on your Android smartphone or tablet.
More from Tom's Guide
Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.