Analysis Summary

A fresh version of the highly intelligent Android malware known as Mandrake has been found in five apps that could be downloaded from the Google Play Store and were hidden for two years.

Before being removed from the app store, the applications had received over 32,000 installations overall, according to researchers. Most of the downloads came from the United Kingdom, Canada, Germany, Italy, Mexico, Spain, and Peru. The new samples featured additional levels of evasion and obfuscation, including transferring malicious functionality to native libraries that have been obfuscated, utilizing certificate pinning for C2 communications, and carrying out a variety of tests to determine whether Mandrake was operating in an emulated environment or on a rooted device.

Mandrake's purposeful strategy to infect a small number of computers while remaining hidden since 2016 was initially detailed in May 2020. No threat actor or group has yet been identified as the source of the malware. The revised versions have a variety of sandbox evasion and anti-analysis measures to prevent the code from being executed in environments controlled by malware analysts, along with the use of OLLVM to hide the essential functionality. Following is a list of apps that use Mandrake:

• AirFS
• Amber
• Astro Explorer
• Brain Matrix
• CryptoPulsing

Three steps comprise the apps pack: a dropper that downloads and decrypts malware from a command-and-control (C2) server, then starts a loader that runs the main malicious component. The information about the device's installed apps, battery life, external IP address, external IP status, and Google Play version can all be gathered via the second-stage payload. In addition, it can delete the main module and ask for authorization to run in the background and create overlays.

To steal victims' credentials and download more malware, the third stage enables extra commands to load a specified URL in a WebView, start a remote screen-sharing session, and record the device screen. With the release of Android 13, the 'Restricted Settings' option was added, which forbids side-loaded apps from asking for risky permissions straight away. Mandrake uses a 'session-based' package installer to complete the installation to get around this feature.

Mandrake is an example of a dynamically evolving threat that is continuously improving its tradecraft to get around defenses and avoid detection. This demonstrates the competence of the threat actors and the fact that tighter regulations on programs before their release in the market simply serve to encourage increasingly complex and difficult-to-detect threats to infiltrate official app marketplaces.

Impact

• Unauthorized Access
• Security Bypass
• Credential Theft
• Cyber Espionage

Indicators of Compromise

SHA1

• 734e57a91d651f2566c0f113d37702beeac25928
• 465bf129f31529cdf44ce9aa81e61d2a8f77f8cb
• 56d89477d693c11bf1c48e3ae7a3bbf6436b909f
• 3bbc7ac4475ea8a50831007e8d1bbe2c7b031cdc
• 4ace4dc152283d4bf08b391995ef18dc69feea16
• cf3422dc1791168fdf9788a4f86a70929815cfce
• ea925dcd839ae18ef17ed24c52e2e79452ad0096
• c5617664bd55b8027d5e079303e13c0526c968a8
• bf86f44ec9e522e3576338c140e4089b6173ab5b
• 23ecdfbc465114e25dd6b42ba2ae9daf8076ab96
• d866891fc7454a33bff2627830dd14565c66af0e
• c0df64e57ac6a0851b379f50e6322b47a4a385fe
• 6fdf4f674bd3cbe952b057350eafa270f283dbc5
• 4b266e3a00b827e8122d0803488fa05dd23e3eac
• de58b08c6bebe52f232f0874a0b9748de6e00ed8
• c32b058f119befac35f4e26697a5c691658403ca
• 2d3106e9125aad3e80669f0aea96ad59ed2a9c5d
• 35b2fdb04f891b1875879b3ed8961cd3af26131e
• 904c37c8e33802b482c5348033c634b639587114
• e7565217c5945e6cef8618ef0e094cf2c7fb2cd2
• 6469ba57e2ec164ea88c913293debe3288d32089
• b435e3f1427241d027ddcb602f0f7c14cad1b600

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Only download apps from official app stores (Google Play Store and Apple App Store) and avoid third-party app sources.
• Review the permissions an app requests during installation. If an app asks for excessive permissions that are unrelated to its functionality, consider it a red flag.
• Never trust or open links and attachments received from unknown sources/senders.
• Encourage individuals to report any suspicious activities, emails, or messages to relevant authorities, organizations, or cybersecurity experts.
• Verify the authenticity of websites, social media profiles, and apps before providing personal information or engaging with them.
• Implement strong, multi-factor authentication (MFA) for email accounts, social media profiles, and other sensitive online services.
• Keep all software and operating systems up to date with the latest security patches to minimize vulnerabilities.
• Employ robust network security measures, including firewalls and intrusion detection systems, to detect and block malicious network traffic.
• Develop and maintain an incident response plan that outlines steps to take in case of a security breach. Ensure that individuals and organizations know how to respond effectively.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Refrain from downloading apps from unofficial sources or third-party app stores. These sources are less regulated and more prone to hosting malicious apps.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using a multi-layered protection is necessary to secure vulnerable assets.