Mandrake: Super sophisticated Android malicious code, only 4 years to be discovered

Recently, security researchers from Bitdefender Labs have discovered relatively detailed traces of a malicious strain that infects Android devices, designed to steal victims' data. The problem is that this malware has been operating since 2016, but it has not been discovered until now.

Specifically, this malware, called Mandrake, possesses a slightly different mode of operation than most common threats today, in that it does not attempt to infect the device at all costs. Instead, Mandrake will carefully select the victim. It will only target the most valuable targets (possessing large amounts of valuable data). Such a way of operation not only helps malicious code optimize profits, but also makes them restrict the attention from the security world.

In addition, the malware is also programmed to evade Android users in certain regions / countries, including countries in the former Soviet Union, Africa and the Middle East. In contrast, Australia, the US, Canada and some European countries are the 'most' targeted regions.

According to estimates by Bitdefender Labs, since 2016 Mandrake has infected hundreds of thousands of victims worldwide, with tens of thousands of devices infected at the present time. This number is not large compared to the famous malicious code ever recorded. However, it is worth mentioning that most of Mandrake's victims are high-value targets, so the damage this malicious code can cause is still huge.

One reason Mandrake has not been discovered by the Play Store for many years is that the malware is not included in apps. Instead, it is distributed after the victim has installed the application on the device. Apps only use their own process to download malicious payloads when "directed" to do so, so that they bypass Google's checking process. Once the malicious payload has been distributed on the target device, the malware starts collecting most of the data it wants from the user, including login credentials for websites and applications. When installed on the device, the application looks like a normal app, but in the back, it grants the rights and data to the malicious operator.

Bogdan Botezatu, director of threat research and reporting at Bitdefender, called Mandrake "one of the most powerful malware in the Android world" , with the ultimate goal of fully controlling the device and capturing the device. gaining victim's valuable personal data.

Mandrake has been distributed through a list of Android apps on the Play Store for years. These applications are constantly being updated, refreshed and even come from different developers.

Even the applications used to distribute malware are relatively well supported so that users mistakenly believe that it is a trusted application: developers respond to user feedback on the Store, There are even social networking sites.

In particular, after it has collected all the data it wants, the malware can completely remove itself from the device, leaving the victim unaware of what happened.

With such a complex mode of operation, it is difficult to prevent Mandrake. The best way to avoid this type of malware is to install applications from reputable and reliable developers.

If you need more information, you can read the full Mandrake report on Bitdefender here: 

https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf