Mandrake: the Android malware that stays active in the shadows

For several years, this malware that infects only devices running Android has remained very discreet.

In this way it has managed to contaminate tens of thousands of smartphones around the world. In terms of functionality, it has nothing to envy the more sophisticated because fulfilling virtually the same roles as a certain part of malware of this kind.

This article will also interest you: 12,000 android apps potentially screwed up

What is known about this malware is that it was used in a hacking and espionage campaign carried out in a very sophisticated and thorough manner. It then allowed cyber criminals using Mandrake to take control of several terminals remotely and very discreetly. This malware allows its users to not only access the contents of the targeted devices, but also to take control of them. This will then facilitate the theft of information such as login credentials, recording screen activity, or spying on the GPS position of the main smartphone user. The cybercriminal can do all this by being as discreet as possible. This is what has marked the effectiveness of this program over the years.

This software has been laid bare by the IT security specialists of BitDefender, a European company specializing in the provision of security solutions, and one of the leaders in this field. BitDefender researchers detailed in a document published on the website all the capabilities of the Mandrake malware. According to the latter, this software has been in operation since 2016. There had been previous descriptions from several researchers of its use on Australian targets. But for some time now, the whole world has been affected by this program.

Bitdefender's Research Director Bogdan Botezatu comments on this software: "Mandrake's ultimate goal is total control of the device, as well as account compromise. It's one of the most powerful Android malware we've seen so far." At this time, experts studying the evolution of this program have not been able to accurately determine the extent of the computer campaigns initiated based on it. However, they know that the latter does not spread through corrupted emails. It would appear that these users specifically target people, and determine a special way to infect them. Once this is done, they then proceed to collect information. "We estimate the number of casualties at tens of thousands for the current wave, and probably hundreds of thousands for the entire four-year period," BitDefender noted.

In addition, the program has a special feature. Indeed, once the work of gathering information and spying on cybercriminals is completed, they can erase it from the corrupted device, thanks to a switch on the software. So as to erase all their trace at the same time. This is why users of this program have been hidden for a long time. Not to mention the fact that they have managed to develop several applications featuring this program and even make them available from the PlayStore. The researchers even meant that applications of this kind were designed specifically for specific countries.

To fool users' vigilance, software known to house Mandrake was partly ad-free, and often received regular security updates. They even managed to escape the control of Google Play Protect. And this is thanks to a very well-orchestrated process. First when the application is installed on the smartphone, it does not contain the malware. It is only after it is installed that it connects to the server to load all the capabilities necessary to make Mandrake work properly. "The malware works in stages, the first step being a harmless application without malicious behavior, other than the ability to download and install a payload at the second stage when specifically requested. It is safe to say that its operator will not trigger this malicious behavior when it operates in Google's analytics environment," says Botezatu.

According to BitDefender specialists, mandrake's hacking companions are still ongoing. The software once installed does not fail to require several additional permissions: "What seems to be a simple process, such as entering into an end-user license agreement and accepting it, actually results behind the scenes in requesting and granting extremely powerful permissions. With these permissions, the malware gains full control of the device and the data it contains," Botezatu noted.

Now access an unlimited number of passwords:

Check out our hacking software