Mandrake Android spyware spreading via Google Play Apps for 4 years

by Julie Splinters - - 2020-05-15

Powerful banking trojan Mandrake spreads within the U.S, Australia, Canada, and Europe for at least four years: thousands of Android users exposed to data theft

Mandrake banking trojan Mandrake banking trojan owns thousands of Android devices for four years and uses harvested data for espionages

Android trojan, dubbed Mandrake, has been stealthily targeting Android users for four years and has already stolen money from thousands of unsuspecting victims. Security researchers from Bitdefender^[1] have submitted a whitehat report at the beginning of May 2020 and described it as a typical Remote Control Trojan (RAT)^[2], except the fact that it’s developed in an unseen complex structure, sophisticated distribution strategy, persistence model, and multiplicity of Arsenal.

According to researchers, Mandrake banking trojan has been first spotted in 2016. At the time, it did not arise much attention and seemed to be idle spyware with no future success. However, the analysis that lasted for four years revealed that it’s unprecedented malware that managed to attack Android users for the whole four-year-span without being noticed.

It takes special care not to infect everyone” – This is exactly what the actor did and most likely why it remained under the radar for 4 full years.

Criminals managed to push Mandrake dropper on Google Play store^[3] via 7 trojanized applications, i.e. Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope, and Car News. These fully functional applications have been popularised on social media platforms (Twitter, Facebook) and forums like Reddit attracting thousands of downloads.

Criminals carefully select the victims and initiate attacks over the host devices manually

The first wave of Mandrake Android banking trojan has been seen in 2016 and lasted for one year. Researchers did not specify how many Android devices it managed to infect. However, it has been mainly targeting Australian users^[4], including Australian investment trading applications known as CommSec. The second attack wave started in 2018 and lasts up till now. Criminals expanded the target to the US, Europe, and Canada with the main focus on Australia remaining.

Nevertheless, the number of victims statistically is low. So how is it possible that such a well-managed and sophisticated trojan fails to find victims? According to Bitdefender researchers, Mandrake trojan attacks seem to be initiated manually targeting well-selected individuals. During the first stage of the infiltration, the Mandrake spyware checks victim’s preferences, address book, messaging apps, record some screens, and logs taps to find out if the victim has a potential to bring criminals a substantial financial profit. If an overview has a positive tendency, the trojan moves forward to the second phase.

According to the analysis, the trojan bypasses African, Soviet Union, Arabic-speaking, and other lower social level countries. Besides, it bypasses Verizon and China Mobile Communications Corporation. In general, if the infected device does not meet the criminals’ requirements, the malware is set to perform an automatic self-destruction command. Therefore, it’s obvious that Mandrake’s developers seek financial profit.

Mandrake's Arsenal leaves no way for its victims to prevent data theft

This banking trojan has been distributed via trojanized Google Play store apps. However, downloading malware dropper is not sufficient for criminals to take full control over the infected Android device. Upon installation, the malware initiates the analysis of the device and creates fake visual components, for instance, fake EULA, region modification, language preferences, and similar. This way, the user is tricked into clicking the Agree button, which grants the malware permission to initiate malicious activities.

Mandrake is an extremely dangerous virus, which once installed on an Android device can steal banking information and initiate identity theft. Bitdefender researchers^[5] excluded the following capabilities of the trojan:

It is capable of manipulating messaging apps and SMS (record and send the collected SMS to C2 server or specified number, hide incoming messages, create a new SMS and send it to a target number, etc.);
It can manage address book and calls (reroute incoming calls to C2 server, block incoming calls, modify volume up and down, initiate calls to particular phone numbers, harvest contact information, etc.);
Install and remove apps, gather technical information of the installed apps;
Take control over logged in accounts, send the registered account names, passwords for any account (Facebook, Twitter, E-banking);
Bypass Two-factor authentication used (2FA) by E-banking accounts;
Gather device status and all technical details;
Track GPS signal and inform C2 server in real-time;
Take screenshots of the device;
Initiate factory reset and self-destruct.

The performance that the Mandrake exhibits is worrisome. The trojan may be used for various espionages, thefts, data leaks, and other cybercrimes. The only good news is that the trojan does not attack the wide audience. At the time being, only 500 unique victims have been revealed in Australia.

About the author

Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

^ Bogdan Botezatu. Mandrake – owning Android devices since 2016. Bitdefender. The official website of security researchers.
^ Exploring RAT Virus. Comodo Antivirus. Software developers.
^ Gareth Corfield. Multi-part Android spyware lurked on Google Play Store for 4 years, posing as a bunch of legit-looking apps. The Register. British tech news.
^ Mandrake Spyware Now Targeting Android Users in Australia. Cyware. The hacker news.
^ Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Bitdefender. Mandrake whitepaper.