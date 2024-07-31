Countries
Close
English English Portuguese Português (PT/BR) 한국어 Korean 한국어 Japanese 日本語 chinese 中文 vitenam Tiếng Việt
Home New Mandrake Spyware Found Hiding in Google Play Store Apps for 2 Years
News

New Mandrake Spyware Found Hiding in Google Play Store Apps for 2 Years

Krishi Chowdhary Journalist Author expertise
Updated:
Disclosure
Disclosure
In our content, we occasionally include affiliate links. Should you click on these links, we may earn a commission, though this incurs no additional cost to you. Your use of this website signifies your acceptance of our terms and conditions as well as our privacy policy.

The Tech Report Why Trust Tech Report Arrow down

Tech Report is one of the oldest hardware, news, and tech review sites on the internet. We write helpful technology guides, unbiased product reviews, and report on the latest tech and crypto news. We maintain editorial independence and consider content quality and factual accuracy to be non-negotiable.

Close icon

  • Kaspersky, the Russian cybersecurity company, has found a new version of the Mandrake spyware hiding in 5 Google Play apps.
  • All the infected apps have been removed but they have already been downloaded 32,000 times. Most of the downloads came from Spain, Peru, Germany, Canada, and the UK.
  • The worst part about this new version is that it’s very hard to detect.

New Mandrake Spyware Found Hiding in Google Play Store Apps

A new version of the popular Android spyware Mandrake has been found in 5 Google Play Store applications, according to a Kaspersky report.  These apps include:

  • AirFS (com.airft.ftrnsfr)
  • Amber (com.shrp.sght)
  • Brain Matrix (com.Astro.dscvr)
  • Cryptopulsing (com.breath.mtrx)
  • Astro Explorer (com.crypto pulsing.browser)

According to the report, the spyware has been hiding in these apps for the last 2 years. Together, these apps have more than 32,000 installations.

Most of these downloads came from Mexico, Spain, Peru, Germany, Canada and the UK. All 5 apps have now been removed from the app store with the most popular one, AirFS, being removed at the end of March 2024.

About the New Version of Mandrake

The new version employed new layers of evasion techniques according to researchers Tatyana Shishkova and Igor Golovin:

  • Moving malicious functionality to obfuscated native libraries
  • Using certificate pinning for C2 communications, and
  • Performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment.

For example, Android 13 has added a “Restricted Settings” feature that prevents sideload apps from requesting dangerous permission. But Mandrake smartly bypasses this hurdle by processing the installation with a session-based package installer.

There are three stages involved:

  • The first stage is a dropper that launches a loader that executes the core component of the malware post-download.
  • In the second stage, information about the device’s connectivity status, battery percentage, IP address, and the current Google Play version is collected. In this stage, the spyware can also wipe the core module and get permission to draw overlays and run in the background.
  • In the last stage, it can load a special URL on the web that will eventually grant the threat actor remote screen-sharing access.

What Does Google Have to Say About This?

Google has been informed about the incident. The tech giant said that it’s constantly amping up its security to prevent such threat actors from reaching its users. For example, it has added a live threat detection technique to handle anti-evasion techniques.

Speaking specifically of Mandrake, Google said that users are already protected against the known versions of this spyware by Google Play Protect which is turned on by default in all Android devices.

But as Kaspersky mentioned, Mandrake is one of those malware that’s constantly evolving and coming up with new evasion techniques. So tackling it is still a major challenge.

It is believed that the spyware first became active in 2016 but managed to evade detection until 2020 when it was first documented by Romanian cybersecurity vendor Bitdefender. It’s been 4 years and yet Mandrake has managed to escape scot-free every single time.

The Tech Report - Editorial ProcessOur Editorial Process

The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.
Add Tech Report to your Google News feed

Question & Answers (0)

Have a question? Our panel of experts will answer your queries. Post your Question

Leave a Reply

Write a Review

Your email address will not be published. Required fields are marked *

Krishi Chowdhary Journalist

Krishi Chowdhary Journalist

Krishi is an eager Tech Journalist and content writer for both B2B and B2C, with a focus on making the process of purchasing software easier for businesses and enhancing their online presence and SEO.

Krishi has a special skill set in writing about technology news, creating educational content on customer relationship management (CRM) software, and recommending project management tools that can help small businesses increase their revenue.

Alongside his writing and blogging work, Krishi's other hobbies include studying the financial markets and cricket.

Most Popular News

1 Olympic Games Meme Frenzy – $MGMES Breaks $13M Transactions & Raises $34K in Five Days
2 Crypto Adoption by Country in 2024
3 New Mandrake Spyware Found Hiding in Google Play Store Apps for 2 Years
4 Microsoft Hit by a Massive Outage Once Again: Azure and Teams Down
5 Ethereum Price Forecast as ETH Forms a New Trendline – Can it Rally to $4,000?

Latest News

Olympic Games Meme Frenzy – $MGMES Breaks $13M Transactions & Raises $34K in Five Days
Crypto News

Olympic Games Meme Frenzy – $MGMES Breaks $13M Transactions & Raises $34K in Five Days

Alex Popa
Crypto Adoption by Country
Crypto Statistics

Crypto Adoption by Country in 2024

Kate Sukhanova

The adoption of cryptocurrency has seen a meteoric rise in the last decade around the world. The trend of the global embrace of cryptocurrencies continues to accelerate in 2024. It’s...

Microsoft Hit by an Outage Once Again: Azure and Teams Down
News

Microsoft Hit by a Massive Outage Once Again: Azure and Teams Down

Krishi Chowdhary

Just a few days after the global Microsoft outage that wreaked havoc in multiple countries, the company’s online services have been hit by another huge outage. Some users have reported...

Ethereum Price Forecast as ETH Form New Trendline – Can it Rally to $4,000?
Crypto News

Ethereum Price Forecast as ETH Forms a New Trendline – Can it Rally to $4,000?

Rida Fatima
Tron Outperforms Ethereum in Revenue, But How?
Crypto News

Tron Outperforms Ethereum in Revenue, But How?

Rida Fatima
Model Portfolios Will Include Crypto ETFs By the End of 2024, Says BlackRock
Crypto News

Model Portfolios Will Include Crypto ETFs By the End of 2024, Says BlackRock

Rida Fatima
Crypto News

pSTAKE Finance Launches World’s First Bitcoin Liquid Staking Solution on Babylon

Yi Ping Bao

REGULATION & HIGH RISK INVESTMENT WARNING: Trading Forex, CFDs and Cryptocurrencies is highly speculative, carries a level of risk and may not be suitable for all investors. You may lose some or all of your invested capital, therefore you should not speculate with capital that you cannot afford to lose. The content on this site should not be considered investment advice. Investing is speculative. When investing your capital is at risk. Please note that we do receive advertising fees for directing users to open an account with the brokers/advertisers and/or for driving traffic to the advertiser website.

Crypto promotions on this site do not comply with the UK Financial Promotions Regime and is not intended for UK consumers.

© Copyright 2024 The Tech Report Inc. All Rights Reserved.