Security News > 2024 > July > New Mandrake Spyware Found in Google Play Store Apps After Two Years

A new iteration of a sophisticated Android spyware called Mandrake has been discovered in five applications that were available for download from the Google Play Store and remained undetected for two years.

A majority of the downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K. "The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment," researchers Tatyana Shishkova and Igor Golovin said.

The second-stage payload is also capable of collecting information about the device's connectivity status, installed applications, battery percentage, external IP address, and current Google Play version.

When reached for comment, Google told The Hacker News that it's continuously shoring up Google Play Protect defenses as new malicious apps are flagged and that it's enhancing its capabilities to include live threat detection to tackle obfuscation and anti-evasion techniques.

"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services," a Google spokesperson said.

"Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.".

News URL

https://thehackernews.com/2024/07/new-mandrake-spyware-found-in-google.html