New Mandrake Android spyware version discovered on Google Play
Essential information
- Published
- 29/07/2024 20:36
- Modified
- 29/07/2024 21:04
- Tags
- 2024-07-29 airfs android apk file google play malware mandrake mobile malware response opcode spyware
- Related entities
- 9 observables, 4 techniques (mitre), 1 malware
Description
n April 2024, Securelist discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any other vendor. The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment.