Mysterious family of malware hid in Google Play for years

A mysterious family of Android malware with a demonstrated history of effectively concealing its myriad spying activities has once again been found in Google Play after more than two years of hiding in plain sight.

The apps, disguised as file-sharing, astronomy, and cryptocurrency apps, hosted Mandrake, a family of highly intrusive malware that security firm Bitdefender called out in 2020. Bitdefender said the apps appeared in two waves, one in 2016 through 2017 and again in 2018 through 2020. Mandrake’s ability to go unnoticed then was the result of some unusually rigorous steps to fly under the radar. They included:

• Not working in 90 countries, including those comprising the former Soviet Union
• Delivering its final payload only to victims who were extremely narrowly targeted
• Containing a kill switch the developers named seppuku (Japanese form of ritual suicide) that fully wiped all traces of the malware
• Fully functional decoy apps in categories including finance, Auto & Vehicles, Video Players & Editors, Art & Design, and Productivity
• Quick fixes for bugs reported in comments
• TLS certificate pinning to conceal communications with command and control servers.

Lurking in the shadows

Bitdefender estimated the number of victims in the tens of thousands for the 2018 to 2020 wave and “probably hundreds of thousands throughout the full 4-year period.”

Following Bitdefender’s 2020 report, Mandrake-infected apps seemed to vanish from Play. Now, security firm Kaspersky has reported that the apps reappeared in 2022 and went unnoticed until now. Besides a new round of decoy apps, the Mandrake operators also introduced several measures to better conceal their malicious behavior, avoid analysis from “sandboxes” used by researchers to identify and study malware, and combat malware protections introduced in recent years.

“The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion, and bypassing new defense mechanisms,” Kaspersky researchers Tatyana Shishkova and Igor Golovin wrote. “After the applications of the first campaign stayed undetected for four years, the current campaign lurked in the shadows for two years, while still available for download on Google Play. This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces.

A key feature of the latest generation of Mandrake is multiple layers of obfuscation designed to prevent analysis by researchers and bypass the vetting process Google Play uses to identify malicious apps. All five of the apps Kaspersky discovered first appeared in Play in 2022 and remained available for at least a year. The most recent app was updated on March 15 and removed from the app market later that month. As of earlier this month, none of the apps were detected as malicious by any major malware detection provider.

One means of obfuscation was to move malicious functionality to native libraries, which were obfuscated. Previously, Mandrake stored the malicious logic of the first stage in what’s known as the application DEX file, a type of file that’s trivial to analyze. By switching the location to the native library libopencv_dnn.so, the Mandrake code is harder to analyze and detect because the native libraries are more difficult to inspect. By then obfuscating the native library using the OLLVM obfuscator, Mandrake apps were even more stealthy.

The chief purposes of Mandrake are to steal the user’s credentials and download and execute next-stage malicious applications. But these actions are carried out only in later-stage infections that are served only to a small number of carefully selected targets. The primary method is by recording the screen while a victim is entering a passcode. The screen recording is initiated by a control server sending commands such as start_v, start_i, or start_a. The researchers explained:

When Mandrake receives a start_v command, the service starts and loads the specified URL in an application-owned webview with a custom JavaScript interface, which the application uses to manipulate the web page it loads.

While the page is loading, the application establishes a websocket connection and starts taking screenshots of the page at regular intervals, while encoding them to base64 strings and sending these to the C2 server. The attackers can use additional commands to adjust the frame rate and quality. The threat actors call this “vnc_stream”. At the same time, the C2 server can send back control commands that make application execute actions, such as swipe to a given coordinate, change the webview size and resolution, switch between the desktop and mobile page display modes, enable or disable JavaScript execution, change the User Agent, import or export cookies, go back and forward, refresh the loaded page, zoom the loaded page and so on.

When Mandrake receives a start_i command, it loads a URL in a webview, but instead of initiating a “VNC” stream, the C2 server starts recording the screen and saving the record to a file. The recording process is similar to the “VNC” scenario, but screenshots are saved to a video file. Also in this mode, the application waits until the user enters their credentials on the web page and then collects cookies from the webview.

The start_a command allows running automated actions in the context of the current page, such as swipe, click, etc. If this is the case, Mandrake downloads automation scenarios from the URL specified in the command options. In this mode, the screen is also recorded.

Screen recordings can be uploaded to the C2 with the upload_i or upload_d commands.

Neither Kaspersky nor Bitdefender provided attribution for the group or what its motives are for spreading a spyware and credential-stealing app as sophisticated as Mandrake. The apps Kaspersky discovered appear in the table below. Google has since removed them from Play. Additional indicators of compromise can be found in the Kaspersky post.