This powerful malware stayed hidden for years, infected 10,000+ Smartphones

This powerful malware stayed hidden for years, infected 10,000+ Smartphones

In early 2020 BitDefender identified a new, highly sophisticated android malware that had been active in the wild for at least 4 years. This malware stayed completely hidden from the users and provides full control of your smartphone to the cybercriminals. BitDefender named the threat "Mandrake Spyware". The main motive of Mandrake spyware is to take complete control of the device.

About the Mandrake Spyware :

Mandrake spyware abuses legitimate Android functions to help gain access to everything on the compromised device in attacks which can gather almost any information about the user. The attacker can browse and collect all data from the device, steal account credentials for accounts including banking applications. It secretly takes recordings of activity on the screen, tracks the GPS location of the user. Mandrake's operators have put serious effort into making sure it has stayed hidden over the years, even going so far as to develop, upload and maintain several applications onto the Google Play Store with the names of several different developers. Some of them were even designed to target specific countries. The apps were mostly ad-free and fixes were regularly delivered to keep users happy. Some of the apps even had social media pages, all designed to convince users to download it.

How Mandrake Works :

The malware avoids detection by Google Play by using a multi-stage process to hide the payload. This malware operates in two stages, with the first stage it acts like a normal app with no malicious behavior. The app is installed on the phone and it then contacts the server to download a loader, which then provides the additional capabilities which Mandrake needs to take control of the device.

Tivadar explained that we saw the attacks are manually orchestrated, this is highly unusual as it seems every victim is analysed independently and threat actors issues commands tailored for him. This seems to be look like that this cannot be the work of a lone wolf. It would be possible for them to run some affiliate program like selling victims to others.

The first attack wave in 2016-17 had an affinity for the US, UK, Germany, and the Netherlands. The current 2018-20 attack wave is more spread in Australia but is also present in the Canada, US and Europe. He also said that subverted apps and services seem to be more in number in Australia. We do not know a real reason behind this. As Australia seems to have a very high mobile banking penetration also having a high GDP per capita, might explain why looks so appealing.

Mitigation :

To help avoid falling victim to such a campaign, users should be sure they trust and know the company which has developed the application. Sometimes it might be better to avoid downloading apps from new sources, even if they're in the official download store. 

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post