Mandrake Android Malware Creeps Up On Google Play Store Again

Years after targeting Android malware, the seemingly dormant Mandrake malware reemerges with a sneaky campaign. Researchers found Mandrake quietly existing on the Google Play Store for at least a year, infecting thousands of users.

Mandrake Malware Sneakily Infected Numerous Play Store Apps

According to a recent report from Kaspersky, Mandrake Android malware has reappeared on the Google Play Store. The notorious spyware was found in five different applications on the Play Store and remained there for 2022 and 2024, garnering 32,000 downloads.

Mandrake malware first  its recent variant.

Kaspersky researchers noticed “layers of obfuscation” in the malware code, which might have helped the malicious apps bypass Google Play Store security checks. Moreover, the malware also applies a stealthy communication strategy with its C&C server. It uses certificate pinning to prevent SSL traffic snooping. In addition, it applies various sandbox evasion and anti-analysis techniques to remain under the radar.

The researchers found the new Mandrake variant upon analyzing a suspicious app. In total, they found the following five apps from three developers carrying the malware.

Application name on Google Play Store App package Developer name
AirFS com.airft.ftrnsfr it9042
Astro Explorer com.astro.dscvr shevabad
Amber com.shrp.sght kodaslda
CryptoPulsing com.cryptopulsing.browser shevabad
Brain Matrix com.brnmth.mtrx kodaslda

All five apps appeared on the Google Play Store in 2022 and stayed there until 2023, except one, AirFS, which was last updated in March 2024 before being removed. The latter also seemed to be the most popular app of all five, attracting over 10,000 downloads.

In their report, the researchers have presented a detailed technical analysis of the new Mandrake variant. While the exact entity of the threat actor behind the latest campaign remains unknown, Kaspersky believes it must be the same threat actor group that first executed the 2020 campaign caught by Bitdefender.

As for the victims, most users belong to the UK, Germany, Canada, Mexico, Spain, Italy, and Peru.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients