Security News > 2020 > May > Multi-part Android spyware lurked on Google Play Store for 4 years, posing as a bunch of legit-looking apps

A newly uncovered strain of Android spyware lurked on the Google Play Store disguised as cryptocurrency wallet Coinbase, among other things, for up to four years, according to a new report by Bitdefender.
Beginning with an innocuous-looking dropper hosted on the Google Play store, masquerading as one of a number of legitimate apps, Mandrake allowed its Russian operators to snoop on virtually everything unsuspecting targets did on their mobile phone.
Mandrake malware... fully compromised the target device, granting itself device admin privileges to forward all incoming SMS messages to the operators' server or a specified number, send texts, place calls, steal contact list information, activate and record GPS location, steal Facebook and financial app credentials, record the screen and more.... As well as posing as Coinbase, Mandrake's operators disguised their malware as apps for Amazon, Gmail, the Google Chrome browser, various Australian and German banks, currency conversion service XE and PayPal.
Bitdefender traced the Google Play Store developer accounts linked to the droppers and identified a Russian freelance developer, hiding behind a network of fake company websites, stolen identities and email addresses and fake job ads in North America.
Last year ESET discovered open-source spyware targeted at the Balouch people of the Afghanistan-Pakistan region, while a 2017 Black Hat presentation went into detail about efforts to cleanse the Google Play Store of government-surveillance malware of the same type as Mandrake.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/05/14/bitdefender_mandrake_malware/
Related news
- New North Korean Android spyware slips onto Google Play (source)
- SpyLend Android malware downloaded 100,000 times from Google Play (source)
- Malicious Android 'Vapor' apps on Google Play installed 60 million times (source)
- Week in review: Exploited 7-Zip 0-day flaw, crypto-stealing malware found on App Store, Google Play (source)
- Google Confirms Android SafetyCore Enables AI-Powered On-Device Content Classification (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- How Google tracks Android device users before they've even opened an app (source)
- Google fixes Android zero-day exploited by Serbian authorities (source)
- Google expands Android AI scam detection to more Pixel devices (source)
- Google Rolls Out AI Scam Detection for Android to Combat Conversational Fraud (source)