Mandrake Android spyware infecting Android devices

Malware known as Mandrake, was detected earlier this year. It has been around since 2016 infecting tens of thousands of users. According to a report by Bitdefender- A newly uncovered strain of Android spyware lurked on the Google Play Store disguised as cryptocurrency wallet Coinbase among other things for up to four years. 

The operators of Mandrake campaign are unlike other campaigns, they pick up their targets carefully collecting information in the background until they decide whether they have a valued target compromised. And then they manually control the actions of Mandrake in order to manipulate information out of the user. 

Bitdefender wrote, “Considering the complexity of the spying platform, we assume that every attack is targeted individually, executed with surgical precision and manual rather than automated”. 

Mandrake-infected apps have been removed from the Google Play store, but they still lurk in off-road app markets, out of Google’s reach. These can be used to spy, collects information and snoop on virtually everything unsuspecting targets did on their mobile phone.  

This malware is capable of fully compromising the target device, granting itself device admin privileges to forward all incoming SMS messages to the operator’s server or a specified number, send texts, place calls, activate and record GPS location, steal Facebook and financial app credentials. 

Once the attackers have gained all the information they want, they initiate factory reset to erase all user data and wipe the malware from the device in the process.  

The malware operators are able to evade detection from routine Google scanning through its three-part structure. In stage one the user installs Mandrake Dropper hosted on the Google Play store, masked as one of legitimate apps such as CoinCast, Currency XE Converter, Car News, Horoskope, SnapTune Vid, Abfix and Office Scanner. In Stage two the attacker instruct Dropper to download loader. And in Stage three the attacker instruct loader to down load and deploy the core component.  

The group behind Mandrake malware is believed to be based in Russia or Kazakhstan. Targeting mainly Australia, America, Canada, and some European countries and specifically not attacking users in certain regions, including former Soviet Union countries, Africa, and the Middle East. 

According to Bitdefender, “The only way to remove Mandrake is to boot the device in safe mode, remove the device administrator special permission and uninstall it manually”. 

To avoid infection suggests, make sure the phone settings have not been changed to accept apps from unknown sources and install Android antivirus apps.