Hey there, folks! Have you heard about the latest sneaky move by the Mandrake malware targeting Android users? It’s quite a story!
Unveiling the Return of Mandrake Malware on Google Play Store
Recently, Kaspersky shared a startling report revealing the reappearance of Mandrake Android malware on the Google Play Store. This notorious spyware managed to hide in five different apps on the platform between 2022 and 2024, accumulating a staggering 32,000 downloads.
Mandrake malware made its debut back in 2020, catching the attention of cybersecurity experts at Bitdefender. Fast forward to today, and this malware has evolved into a more sophisticated version, as evidenced by its latest activities.
What sets this new Mandrake variant apart is its intricate obfuscation techniques embedded within the code. These techniques likely enabled the malicious apps to slip past Google Play Store’s security checks undetected. Furthermore, the malware employs a stealthy communication approach with its command-and-control (C&C) server, utilizing certificate pinning to thwart SSL traffic interception. It also employs various tactics to evade sandbox detection and anti-analysis measures, ensuring it flies under the radar.
Upon investigating a suspicious app, Kaspersky researchers uncovered five apps from three different developers harboring the Mandrake malware:
| Application name on Google Play Store | App package | Developer name |
| AirFS | com.airft.ftrnsfr | it9042 |
| Astro Explorer | com.astro.dscvr | shevabad |
| Amber | com.shrp.sght | kodaslda |
| CryptoPulsing | com.cryptopulsing.browser | shevabad |
| Brain Matrix | com.brnmth.mtrx | kodaslda |
All five apps made their way onto the Google Play Store in 2022 and lingered there until 2023, except for AirFS, which received its last update in March 2024 before removal. Interestingly, AirFS garnered the most downloads, surpassing 10,000.
Kaspersky’s report delves into a detailed technical analysis of this new Mandrake variant. While the identity of the threat actor remains a mystery, Kaspersky suspects it’s the same group responsible for the 2020 campaign uncovered by Bitdefender.
The unfortunate victims of this malware primarily hail from the UK, Germany, Canada, Mexico, Spain, Italy, and Peru.
We’d love to hear your thoughts on this alarming development in the comments below!
