The variant of Mandrake was found in five apps on Google Play. Combined, these apps were downloaded over 32,000 times primarily in countries like Canada, Germany, Italy, Mexico, Spain, Peru and the UK. The malware uses new layers of obfuscation to avoid detection.
Mandrake bypassed defenses for nearly two years. The spyware uses a multi-stage process to infect devices. The infections have been worldwide affecting thousands of users.
Also Read: Malaysia: New Regulatory License for Social Media Platforms to Combat Cyber Crimes
The Mandrake campaign was first analyzed in a 2020 report by Bitdefender, which detailed two major infection waves from 2016 to 2017 and 2018 to 2020. During these periods the malware was available on Google Play.
In April 2024, new samples of Mandrake were identified signaling a resurgence of the campaign. Five applications containing Mandrake were discovered collectively amassing over 32,000 installations from 2022 to 2024. These apps managed to remain under the radar.
The new version of Mandrake utilizes multiple layers of obfuscation to conceal its malicious functionality.
Key tactics include moving the core malicious components to obfuscated native libraries and using OLLVM for obfuscation.
Communication with command-and-control (C2) servers is secured using certificate pinning. This prevents interception of SSL traffic.
Mandrake is equipped with an array of sandbox evasion and anti-analysis techniques. It conducts extensive checks to determine if it’s running in a rooted or emulated environment, thereby evading detection by security researchers and automated analysis systems.
Five Applications Were Identified as Carriers of the Mandrake Spyware
1. AirFS – File Sharing via Wi-Fi by it9042:
- Downloads: 30,305
- Active Period: April 28, 2022, to March 15, 2024
- Description: Marketed as a file-sharing app, AirFS was the most successful in terms of downloads and infections.
2. Astro Explorer by shevabad:
- Downloads: 718
- Active Period: May 30, 2022, to June 6, 2023
- Description: Astro Explorer appeared as a space exploration tool but was a vehicle for infection.
3. Amber by kodaslda:
- Downloads: 19
- Active Period: February 27, 2022, to August 19, 2023
- Description: Amber’s low download count did not diminish its role in spreading Mandrake.
4. CryptoPulsing by shevabad:
- Downloads: 790
- Active Period: November 2, 2022, to June 6, 2023
- Description: This app masqueraded as a cryptocurrency application, tricking users into downloading it.
5. Brain Matrix by kodaslda:
- Downloads: 259
- Active Period: April 27, 2022, to June 6, 2023
- Description: Posing as a cognitive training tool, Brain Matrix also contributed to the spread of the spyware. These apps were downloaded in Canada, Germany, Italy, Mexico, Spain, Peru and the UK, showcasing a global reach and impact on Android users worldwide.
The new Mandrake Variant Employs a Variety of Advanced Techniques to Remain Hidden and Effective:
1. Obfuscation with Native Libraries
Libopencv_dnn.so and Libopencv_java3.so: Unlike typical Android malware that places malicious logic in the app’s DEX file, Mandrake hides its stage in these native libraries. This technique makes it challenging for analysts to detect and analyze the malware.
OLLLVM Obfuscation: The use of OLLVM (Obfuscator-LLVM) increases the complexity of the code hindering reverse engineering attempts and making it more difficult for security tools to identify the threat.
Mandrake’s Infection Process is Divided into Three Stages:
Stage 1 – The Dropper:
The app acts as a dropper executing the first stage by hiding in the native library and launching subsequent stages. Functions export from the library to decrypt the second-stage loader DEX from the assets folder loading it into memory.
Stage 2 – The Loader:
This stage requests permissions to draw overlays and loads a second native library that decrypts a certificate for secure communication with the C2 server.
It Gathers connectivity status, installed applications, battery percentage, external IP address and Google Play version.
Stage 3
Upon activation, this component allows Mandrake to perform data collection, screen recording and command execution.
Capabilities Includes simulation of user swipes and taps, file management, app installation and the ability to prompt users to install further malicious APKs.
Mandrake utilizes certificate pinning to ensure secure communication with its command-and-control (C2) server making it harder for security analysts to intercept or analyze the traffic.
The app sends a device profile to the C2 server and receives the core Mandrake component if deemed suitable for infection.
The spyware conducts a series of checks to detect debugging tools, emulated environments and signs of malware analysis. This includes checking for Frida (a dynamic instrumentation toolkit), root status, system partition read-only status and development settings.
To bypass Android 13’s restrictions on installing APKs from unofficial sources, Mandrake employs a session-based package installer method. This approach allows the spyware to evade newly implemented security features.
Also Read: Elon Musk’s X Activates Default Setting to Train Grok AI on User Posts
Technical Details
Malware Implantation
- Primary Application:
The main application in this campaign, named AirFS, was available on Google Play for two years and updated as recently as March 15, 2024. Disguised as a file-sharing app, it had over 30,000 downloads. - Infection Chain:
Mandrake operates in a multi-stage infection process including:
- Dropper Stage:
The initial stage conceals its activities within a native library (libopencv_dnn.so), making it more challenging to analyze compared to typical DEX files. This library decrypts and loads the next stage. - Loader Stage:
Once decrypted, the second stage (loader) is responsible for loading the main service and starting the application’s malicious activities. It uses the librarylibopencv_java3.sofor further operations including setting up secure C2 communications. - Core Stage:
If the C2 server identifies the device as a valuable target, it commands the app to download and execute the core component which contains the primary spyware functionality.
Data Decryption Process
- String Decryption:
The decryption logic involves XORing the first three bytes of the encrypted data to determine the string length and using the first two bytes as keys for custom XOR encoding. - AES Key Handling:
Keys and IVs for AES decryption are similarly encoded with parts XORed against specific constants. The encrypted C2 certificate stored in the assets folder and it is decrypted using the same mechanism.
Advanced Evasion Techniques
- Environment Checks:
Mandrake implements rigorous checks to determine if it’s running in a secure environment. It looks for indicators of rooting (e.g., presence ofsubinary, SuperUser.apk, BusyBox, Magisk) and development settings like ADB status. - Frida Detection:
The malware employs methods to detect Frida, a popular dynamic instrumentation toolkit used for reverse engineering. It computes CRCs of libraries in memory and searches for specific thread names associated with Frida, terminating execution if found. - Certificate Pinning:
To secure its network traffic Mandrake uses an encrypted certificate for SSL connections ensuring the client verifies its identity before communication.
Command and Control (C2) Communication
- Custom Serialization:
C2 communication utilizes a custom JSON-like serialization format. Messages are encrypted and structured as nodes each containing unique identifiers, requests and data fields. - Request and Response Opcodes:
Mandrake uses a range of opcodes (1000 to 1058) for communication, with different meanings depending on context (e.g., request vs. response). - Request Opcodes:
1000: Send device information.1003: Send a list of installed applications.1010: Send component information.
- Response Opcodes:
1002: Set contact rate for client-server communication.1010: Command to install the next-stage APK.1011: Abort the installation process.1022: Request to allow the app to run in the background.1023: Cancel the background permission request.1027: Modify the application icon.
Also Read: Apple Maps Launches Web Beta to Challenge Google Maps
.jpg)
