Threat Research

Mandrake Spyware Reappears on Google Play After Two-Year Stealth Operation

SecureList

Mandrake Android spyware reappears on Google Play after a two-year stealth operation, with five apps totaling over 32,000 installs and renewed obfuscation. The new variant shifts core malware logic to obfuscated native libraries, uses certificate pinning for C2, and employs extensive sandbox evasion and anti-analysis techniques. #Mandrake #RICINUS #AirFS #GooglePlay #AndroidSpyware #Frida

Keypoints

  • Mandrake spyware returned to Google Play after a two-year hiatus, with five apps published between 2022 and 2024 and over 32,000 total downloads.
  • The core malicious functionality is now moved to native libraries obfuscated with OLLVM to hinder analysis and detection.
  • Communication with command-and-control servers uses certificate pinning to prevent interception of SSL traffic.
  • Mandrake employs a diverse set of sandbox evasion and anti-analysis techniques, including Frida detection.
  • The infection chain follows a dropper → loader → core structure, with the first stage hidden inside a native library and decrypting the loader from assets.
  • New variants are tied to the “ricinus” branch with multiple 3.x.x filenames and loaders, and some apps were not detected by vendors as of VirusTotal in mid-2024.
  • Capabilities include credential theft via webview overlays, screen capture, automation, and ability to install/update next-stage modules from C2.

MITRE Techniques

  • [T1027] Obfuscated Files or Information – Mandrake employs multiple layers of obfuscation, including obfuscated native libraries (e.g., libopencv_dnn.so) to hide functionality. ‘The new versions hide all the first-stage malicious activity inside the native library …’
  • [T1071] Command and Control – Mandrake communicates with C2 servers; uses certificate pinning to prevent SSL traffic capture. ‘Communication with command-and-control servers (C2) uses certificate pinning to prevent capture of SSL traffic.’
  • [T1497] Sandbox Evasion – A variety of sandbox evasion and anti-analysis techniques are used to thwart analysis. ‘sandbox evasion and anti-analysis techniques.’
  • [T1022] Data Encrypted – AES encryption is used for C2 domains and payloads, with keys and configuration data encrypted. ‘AES-encrypted C2 domains, and keys for configuration data and payload decryption.’
  • [T1071.001] Application Layer Protocol – C2 uses a custom JSON-like serialization format over HTTPS for communications. ‘The same as in previous campaigns’ and ‘encrypted strings are mixed with plain text strings.’
  • [T1056] Input Capture – Webview overlays are used to capture user credentials and other input. ‘The threat actors use webview overlays to steal credentials.’
  • [T1219] Remote Access Software – Webview overlays provide remote control capabilities, enabling attackers to interact with the device. ‘remote access capability through a webview’

Indicators of Compromise

  • [File Hashes] AirFS/mandrake samples on Google Play – 141f09c5d8a7af85dde2b7bfe2c89477, 1b579842077e0ec75346685ffd689d6e, and 2 more hashes
  • [Domains and IPs] C2 domains/IPs – 45.142.122[.]12, ricinus[.]ru, and 3 more domains

Read more: https://securelist.com/mandrake-apps-return-to-google-play/113147/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint