#记录我的2024#
Quick guide
The Mandrake malware family resurfaced on Google Play after two years of obscurity, disguised as file-sharing, astronomy, and cryptocurrency apps. The malware is known for its stealthy surveillance activities, which have gone through two bands since 2016, 2016-2017 and 2018-2020, successfully evading detection. Its tactics include not operating in 90 countries, sending payloads only to specific victims, implementing self-destruct mechanisms, and using fully functional decoy applications. Kaspersky's research shows that Mandrake has evolved to employ multiple layers of obfuscation techniques to hide his malicious activity and evade analysis. The latest version moves the malicious code to a local repository, making it more difficult to analyze, with the main goal of stealing user credentials and downloading further malicious programs. The emergence of Mandrake shows that malware is increasing in sophistication and stealth despite increased regulation of the app market.
The discovery of the Mandrake malware on Google Play
A mysterious family of Android malware, known for its stealthy surveillance activities, has resurfaced on Google Play after more than two years of stealth. The malware, called Mandrake, is disguised as a file-sharing, astronomy, and cryptocurrency application. In 2020, security firm Bitdefender highlighted Mandrak's intrusive nature in a report. The malware is divided into two distinct bands: the first from 2016 to 2017 and the second from 2018 to 2020. During both periods, it was able to evade detection, attributed to a series of well-designed strategies, including:
- It is not operated in 90 countries, especially in the countries of the former Soviet Union.
- The final payload is sent to only a small subset of specific victims.
- Implement a self-destruct switch called "seppuku", a reference to the ritual suicide in Japan, erasing all traces of malware.
- Decoy apps with full functionality in categories such as Finance, Cars & Vehicles, Video Players & Editing, Art & Design, and Productivity.
- Provides quick fixes for vulnerabilities reported in user reviews.
- Utilize TLS certificate pinning to mask communication with command and control servers.
Mandrake's evolving threat
Bitdefender estimates that the number of victims affected reached tens of thousands during the 2018-2020 band, and the total could reach hundreds of thousands over the entire four-year period. After Bitdefender's 2020 report, the apps Mandrake infected appear to have disappeared from Google Play. However, the security firm Kaspersky reported their reappearance in 2022 and until recently it remained undetected. In addition to launching a new array of decoy applications, Mandrake's operators have implemented several new measures to better hide their malicious activity, circumvent the "sandbox" analysis used by researchers, and defend against malware protections introduced in recent years.
Kaspersky researchers Tatyana · Shishkova and Igor · Golovin noted: "Mandrak spyware is dynamically evolving, improving its stealth methods, sandbox evasion, and bypassing new defense mechanisms. "Four years after the first campaign was app evasion detection, the current campaign has been hidden for two years while still being available for download on Google Play. This demonstrates the superior skills of threat actors, showing that tighter application controls will only lead to more sophisticated and harder-to-detect threats infiltrating the official app market.
Advanced obfuscation techniques
A distinguishing feature of the latest generation of Mandrake is its multi-layered obfuscation design, designed to prevent researchers from analyzing and bypassing Google's review process for malicious apps. Kaspersky identified five apps that first appeared on Google Play in 2022 and have been available for at least a year, with the most recent one updated on March 15 and subsequently removed later this month. By earlier this month, none of these apps had been flagged as malicious by any of the major malware detection providers.
One way to obfuscate is to move malicious functionality to local libraries, which are also obfuscated. Previously, Mandrake stored its malicious logic in the application's DEX file, which was relatively easy to analyze. By relocating malicious code to a local repository libopencv_dnn.so, Mandrake makes analysis and detection more difficult. In addition, by using the OLLVM obfuscator on the local library, the Mandrake application becomes more stealthy. Mandrake's main goal is to steal user credentials, as well as download and execute further malicious applications, actions that only occur in late-stage infections that target specific targets.