Sneaky Mandrake Malware Infiltrates Google Play Again To Spy On Android Devices

mandrake return google hero
Android spyware dubbed Mandrake is back after being caught in 2020, managing to sneak back into the Google Play Store in 2022 and remaining available until spotted by Kaspersky in April of 2024. During those two years, Mandrake managed to accumulate 32,000 victims with the distribution of several apps, with the most popular being a Wi-Fi file sharing app called AirFS.

Mandrake employs several techniques that allowed it to remain undetected for so long. One technique is moving certain code to a different location than most Android malware, and uses open-source solutions to obfuscate that code. Moreover, it’s difficult to capture traffic between itself and command-and-control servers because of its use of certificate pinning. Lastly, it goes to great lengths to evade tools used by researchers, such as sandboxes and analysis techniques.

Once on a victim’s device, Mandrake will request permission to run in the background so it can gather various bits of data. This includes device information, what applications are installed, request the installation of other APKs, record a user’s screen, and check if the device is running in rooted mode.

mandrake return google body

This latest discovery shows that threat actors are getting better at bypassing checks put in place by mobile platforms. However, there was a canary in the coalmine alerting about this malware before researchers found it. User reviews for AirFS detailed how broken the app was, with one user catching on that it was malware, saying “Scam. App hacks info your phone and accounts.” It might be worth it for Google and Apple to begin checking reviews for comments like this one as part of maintaining their app stores.

The return of Mandrake shows that users will need to be careful even when using official app stores, ensuring they know a developer before hitting install. It will probably make things tougher for small, unknown app developers going forward.