Description
n April 2024, Securelist discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any other vendor. The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment.
Date
| Published | Created | Modified |
|---|---|---|
| July 29, 2024, 8:36 p.m. | July 29, 2024, 8:36 p.m. | July 29, 2024, 9:04 p.m. |
Indicators
07fec5af5336dd2fbb0b0cb2277a279afb0ab1949dd9fe9e6c0ecfdc02908212
85.214.132.126
45.142.122.12
Attack Patterns
Mandrake
T1497
T1564
T1036
T1204