Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,175
- Points
- 113
How did the spy operation manage to go unnoticed since the beginning of 2022?
Yesterday, July 29, researchers from Kaspersky Lab reported on a new version of the Mandrake spyware, which, using improved methods of hiding and bypassing security systems, penetrated Google Play through five completely different applications downloaded back in 2022.
Mandrake was first documented by Bitdefender in 2020. Then the malware also caused genuine surprise to experts, since at the time of detection it was successfully hidden in Google Play for four years.
So, below is a list of malicious applications detected by Kaspersky Lab. It is noteworthy that the most popular of them was removed by Google representatives only in March of this year.
Most of the infected apps are downloaded in Canada, Germany, Italy, Mexico, Spain, Peru, and the United Kingdom.
AirFS — the most popular infected application identified
Unlike most Android malware programs, which place malicious logic in the app's DEX file, Mandrake hides its initial stage in the native library "libopencv_dnn.so", which is heavily obfuscated using OLLVM.
After installing the application, this library exports functions for decrypting and loading the second stage from the DEX file. In the second step, the app requests permissions to display overlays and loads the second native library "libopencv_java3.so", which decrypts the certificate for secure communication with the command server.
After establishing a connection with the server, the application sends the device profile and receives the main Mandrake component, if the device is suitable. Once activated, the spyware can perform a wide range of malicious actions, including collecting data, recording the screen, executing commands, imitating user gestures, managing files, and installing applications.
The new version of Mandrake includes improved methods for bypassing protection, such as checking for the presence of the Frida toolkit, popular among security analysts, checking the root status on the device, and checking whether the system partition is mounted in read-only mode.
Android users are advised to install apps only from trusted publishers, check reviews before installing, avoid granting suspicious permissions, and be sure to activate Google Play Protect on their device. The latter is constantly being improved and automatically protects users from known versions of a wide variety of spyware, warning or blocking applications with suspicious behavior.
Source
Yesterday, July 29, researchers from Kaspersky Lab reported on a new version of the Mandrake spyware, which, using improved methods of hiding and bypassing security systems, penetrated Google Play through five completely different applications downloaded back in 2022.
Mandrake was first documented by Bitdefender in 2020. Then the malware also caused genuine surprise to experts, since at the time of detection it was successfully hidden in Google Play for four years.
So, below is a list of malicious applications detected by Kaspersky Lab. It is noteworthy that the most popular of them was removed by Google representatives only in March of this year.
- AirFS — 30,305 downloads (from April 2022 to March 2024);
- Astro Explorer — 718 downloads (from May 2022 to June 2023);
- Amber — 19 downloads (from February 2022 to August 2023);
- CryptoPulsing — 790 downloads (from November 2022 to June 2023);
- Brain Matrix — 259 downloads (from April 2022 to June 2023).
Most of the infected apps are downloaded in Canada, Germany, Italy, Mexico, Spain, Peru, and the United Kingdom.
AirFS — the most popular infected application identified
Unlike most Android malware programs, which place malicious logic in the app's DEX file, Mandrake hides its initial stage in the native library "libopencv_dnn.so", which is heavily obfuscated using OLLVM.
After installing the application, this library exports functions for decrypting and loading the second stage from the DEX file. In the second step, the app requests permissions to display overlays and loads the second native library "libopencv_java3.so", which decrypts the certificate for secure communication with the command server.
After establishing a connection with the server, the application sends the device profile and receives the main Mandrake component, if the device is suitable. Once activated, the spyware can perform a wide range of malicious actions, including collecting data, recording the screen, executing commands, imitating user gestures, managing files, and installing applications.
The new version of Mandrake includes improved methods for bypassing protection, such as checking for the presence of the Frida toolkit, popular among security analysts, checking the root status on the device, and checking whether the system partition is mounted in read-only mode.
Android users are advised to install apps only from trusted publishers, check reviews before installing, avoid granting suspicious permissions, and be sure to activate Google Play Protect on their device. The latter is constantly being improved and automatically protects users from known versions of a wide variety of spyware, warning or blocking applications with suspicious behavior.
Source
