New Mandrake Android spyware version discovered on Google Play

July 29, 2024, 9:04 p.m.

Description

n April 2024, Securelist discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any other vendor. The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment.

External References

https://securelist.com/mandrake-apps-return-to-google-play/113147/
https://otx.alienvault.com/pulse/66a7fd36340f974f4d5549bd
Tags
malware
android
spyware
google play
2024-07-29
mobile malware
mandrake
response opcode
apk file
airfs

Date

  • Created: July 29, 2024, 8:36 p.m.
  • Published: July 29, 2024, 8:36 p.m.
  • Modified: July 29, 2024, 9:04 p.m.

Indicators

  • 07fec5af5336dd2fbb0b0cb2277a279afb0ab1949dd9fe9e6c0ecfdc02908212
  • 85.214.132.126
  • 45.142.122.12
  • toxicodendron.ru
  • ricinus.su
  • ricinus.ru
  • ricinus-cc.ru
  • ricinus-cb.ru
  • ricinus-ca.ru
Download all indicators here!

Attack Patterns

  • Mandrake