Mandrake Spyware Evades Google Play Security for Over Two Years
Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)
Kaspersky researchers have uncovered a new version of the notorious Mandrake spyware, revealing advanced obfuscation techniques that allowed it to bypass Google Play’s security checks and remain undetected for two years.
First identified in 2020, Mandrake has been an active Android espionage platform since at least 2016. The latest variant, detected in April 2024, showcases enhanced functionality and evasion capabilities that have raised concerns among cybersecurity experts.
The new Mandrake samples employ several advanced techniques to avoid detection:
Tatyana Shishkova, Lead Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT), commented:
“After evading detection for four years in its initial versions, the latest Mandrake campaign remained undetected on Google Play for an additional two years.
This demonstrates the advanced skills of the threat actors involved. It also highlights a troubling trend: as restrictions tighten and security checks become more rigorous, the sophistication of threats penetrating official app stores increases, making them more challenging to detect.”
Kaspersky’s investigation revealed five applications containing the Mandrake spyware, which collectively amassed over 32,000 downloads. These apps, all published on Google Play in 2022, were available for at least a year and masqueraded as legitimate applications:
As of July 2024, none of these apps were flagged as malware by any vendor on VirusTotal—underscoring the effectiveness of Mandrake’s obfuscation techniques.
While the malicious applications are no longer available on Google Play, they were widely distributed across multiple countries. The majority of downloads occurred in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
The persistent nature of the Mandrake threat actor is evident in the similarities between the current and previous campaigns. Kaspersky researchers noted that the C2 domains were registered in Russia, leading them to conclude with high confidence that the same threat actor identified in Bitdefender’s initial detection report is behind this latest campaign.
(Photo by Rayner Simpson)
See also: Images weaponised in latest supply chain attack
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.