New Mandrake Malware: A Growing Threat to Android Users

Mandrake Malware

Security researchers have recently uncovered a new version of Mandrake, a highly sophisticated Android spyware tool. This dangerous malware was first analyzed by Bitdefender in May 2020, revealing that it had been operating undetected for at least four years. In April 2024, Kaspersky researchers identified suspicious samples which were later confirmed to be an updated version of Mandrake. This discovery marks a significant development in the ongoing battle against cyber-espionage tools.

Hidden in Popular Apps

The latest variant of Mandrake was found hidden within five applications on Google Play, spanning from 2022 to 2024. These applications managed to amass over 32,000 downloads while remaining undetected by other cybersecurity vendors. The most downloaded app, named AirFS, accumulated over 30,000 installations before it was removed from the platform in March 2024. This highlights the malware’s ability to infiltrate widely used apps and evade detection for an extended period.

Advanced Evasion Techniques

Kaspersky’s advisory detailed how the new Mandrake samples have significantly enhanced their obfuscation and evasion tactics. One key change is the relocation of malicious functions to obfuscated native libraries, which makes them much harder to analyze compared to previous versions. Additionally, the malware now employs certificate pinning to secure its communications with command-and-control (C2) servers. This ensures that data transmissions remain hidden from prying eyes.

Moreover, Mandrake has incorporated various tests to avoid detection on rooted or emulated devices. These include checks for the presence of analyst tools and specific system characteristics that could indicate a virtual environment. These sophisticated evasion techniques make it increasingly challenging for cybersecurity experts to detect and analyze the malware effectively.

Multi-Stage Infection Chain

From a technical standpoint, the new Mandrake version operates through a complex, multi-stage infection chain. Initially, malicious activity is concealed within a native library, which makes it harder to analyze than previous campaigns where the first stage was embedded in the DEX file. Upon execution, this first-stage library decrypts and loads the second stage, which then initiates communication with the C2 server.

If the C2 server deems the device relevant, it commands the device to download and execute the core malware. This core malware is designed to steal user credentials and deploy additional malicious applications, thereby expanding its reach and impact. The infection chain’s multi-stage nature makes it a formidable threat, as each stage adds an additional layer of complexity and evasion.

Enhanced Evasion and Encryption

Mandrake’s evasion techniques have become more sophisticated with each iteration. The malware now includes advanced checks for emulation environments, rooted devices, and the presence of analyst tools. These enhancements make it extremely challenging for cybersecurity experts to detect and analyze the malware. Furthermore, the threat actors behind Mandrake have employed a novel approach to data encryption and decryption, utilizing a mix of custom algorithms and standard AES encryption.

Impact on the Cybersecurity Landscape

The discovery of this new Mandrake variant underscores the evolving nature of cybersecurity threats. Kaspersky’s findings highlight that the Mandrake spyware is continuously improving its methods of concealment, sandbox evasion, and bypassing new defense mechanisms. This ongoing evolution makes it increasingly difficult for cybersecurity measures to keep pace with the threat.

Kaspersky’s advisory emphasized the formidable skills of the threat actors behind Mandrake, noting that the applications in the first campaign went undetected for four years, while the current campaign lurked in the shadows for two years while still available for download on Google Play. This situation underscores the need for stricter controls and more rigorous vetting processes for applications before they are published in official marketplaces.

Implications for Users and Developers

The presence of such sophisticated malware on a widely trusted platform like Google Play raises significant concerns for both users and developers. Users need to be more vigilant about the apps they download, ensuring they come from trusted sources and are regularly updated. Developers, on the other hand, must implement more robust security measures in their applications to prevent them from being exploited by malicious actors.

The discovery of the new Mandrake variant is a stark reminder of the ongoing challenges in the cybersecurity landscape. As threat actors become more sophisticated, the need for robust and adaptive security measures becomes ever more critical. It is essential for users to stay vigilant, keep their devices updated, and only download apps from trusted sources. By understanding the nature of these threats and how they operate, both users and cybersecurity professionals can better protect against the evolving landscape of digital threats.

The battle against cyber-espionage tools like Mandrake is far from over, and continuous efforts are needed to stay ahead of these sophisticated threats. Enhanced security measures, user awareness, and rigorous app vetting processes are crucial in safeguarding against such malicious activities.


Subscribe to Our Newsletter

Related Articles

Top Trending

Crunch Culture Coverup featured image. Exhausted game developer working late in a dark studio, showing how the crunch culture coverup hides the human cost behind AAA game production
The Crunch Culture Coverup Is Gaming’s Ugliest Secret
SEO Tactics For Service Businesses
7 SEO Tactics For Service Businesses
environment impact of plant-based diet featured image. Plant based meal with legumes, grains, vegetables, and a globe showing the environmental value of sustainable food choices.
The Environment Impact of Plant-Based Diet Choices
Self-Hosting AI Costs
Self-Hosting AI Looks Cheap Until You Become the Vendor
Educational YouTube Channels for Homeschool Learning featured image. Parent guides a child using an educational video with notes and learning tools, showing active homeschool study rather than passive screen time.
13 Educational YouTube Channels for Homeschool Living Rooms

Fintech & Finance

Higher 401k Limits Retirement Savers
What Do Higher 401(k) Limits Mean for Retirement Savers in 2026?
ELSS SIP Calculator
ELSS SIP Calculator: Tax Saving + Wealth Building Explained
Tracking Small-Cap Stocks on Fintechzoom.com Russell 2000
Fintechzoom.com Russell 2000: The Complete Guide to Tracking Small-Cap Stocks in 2026
Organizational Bottlenecks and How to Address Them
10 Organizational Bottlenecks: Here’s How to Address Them
Why more Indians are Taking a Rs 50000 Personal Loan for Emergencies and Short-term Needs
Why more Indians are Taking a Rs 50000 Personal Loan for Emergencies and Short-term Needs

Sustainability & Living

environment impact of plant-based diet featured image. Plant based meal with legumes, grains, vegetables, and a globe showing the environmental value of sustainable food choices.
The Environment Impact of Plant-Based Diet Choices
Swedish supply chain traceability platforms
6 Swedish Supply Chain Traceability Platforms Transforming Global Industries
Local Climate Actions
11 Local Climate Actions That Compound Beyond One Household
Plastic-Free Grocery Swaps
8 Plastic-Free Grocery Shopping Swaps That Actually Work
Sustainable Bathroom Swaps
11 Sustainable Bathroom Swaps for a Waste-Free Routine

GAMING

Crunch Culture Coverup featured image. Exhausted game developer working late in a dark studio, showing how the crunch culture coverup hides the human cost behind AAA game production
The Crunch Culture Coverup Is Gaming’s Ugliest Secret
Mortdog left Riot Games
Mortdog Leaves Riot Games: Is This the End of TFT as We Know It?
Quality Assurance & Game Testing
Top 10 Gaming SMEs Specializing in Quality Assurance & Game Testing in India
$70 Game Deals
Why $70 Game Deals Are Mostly Never Worth It
why AAA games look the same
Why AAA Games Look the Same Even When They Cost More Than Ever

Business & Marketing

Best Founder Resources
23 Best Founder Resources: A Practical Guide for Early-Stage Startups
Best Free Courses Aspiring Founders
The 7 Best Free Courses Aspiring Founders Should Take Before Building
best templates founders
11 Best Templates Founders Need to Build Smarter
Enter a new country without legal entity
The Fastest Way to Enter a New Country Without Establishing a Legal Entity
Promotional talent live events
How Promotional Talent Helps Brands Make an Impact at Live Events

Technology & AI

SEO Tactics For Service Businesses
7 SEO Tactics For Service Businesses
Self-Hosting AI Costs
Self-Hosting AI Looks Cheap Until You Become the Vendor
launch tactics tight budget
7 Launch Tactics on a Tight Budget for Indie SaaS Teams
SEO tactics SaaS
11 SEO Tactics Specific to SaaS Teams That Want Qualified Traffic, Not Empty Visits
best newsletters SaaS founders
11 Best Newsletters SaaS Founders Should Read for Growth

Fitness & Wellness

A Complete Guide on TheLifestyleEdge com
The Lifestyle Edge: Your Complete Guide to Wellness and Modern Living
Stretching Accessories That Make a Difference
7 Stretching Accessories That Make a Difference for Flexibility, Mobility, and Recovery
air quality wellness devices
13 Air Quality and Wellness Devices Worth Considering for a Healthier Home
habits reduce stress
7 Habits That Reduce Stress Long Term and Feel Calmer Daily
habits better focus
11 Habits for Better Focus That Actually Work