Mandrake Android Spyware

Mandrake is a sophisticated spyware targeting Android devices. It has been linked to various cyber-espionage activities and is known for its extensive capabilities to monitor and control infected devices.

Discovery And Evolution

Mandrake has been around since at least 2016, evolving over time to evade detection and enhance its functionalities. In April 2024, researchers at Kaspersky  identified suspicious samples, which were later confirmed to be a new variant of Mandrake.

Kaspersky has reported that a new variant of Mandrake, with improved obfuscation and evasion techniques, infiltrated Google Play via five apps submitted to the store in 2022.

These apps stayed on the platform for at least a year. The last one, AirFS (see below), which was the most popular and caused the most infections, was removed at the end of March 2024.

Five applications that should contain the Mandrake malicious code:

• AirFS - File sharing via Wi-Fi by it9042 (30305 downloads)
• Astro Explorer by shevabad (718 downloads)
• Amber by kodaslda (19 downloads)
• CryptoPulsing by shevabad (790 downloads)
• Brain Matrix by kodaslda (259 downloads)

The malicious applications on Google Play were accessible in numerous countries, with the majority of downloads occurring in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.

If you have one of the above apps installed on your mobile phone, uninstall it immediately!

Silent Enemy And a Major Threat!

Once installed, Mandrake remains dormant initially to avoid detection. After a period, it activates and begins its malicious activities:

• Data Exfiltration: Mandrake can steal sensitive information such as login credentials, SMS messages, call logs, contacts, and browser history.
• Remote Control: The spyware can remotely control the infected device, including the ability to make calls, send texts, and take screenshots.
• Banking Information: Mandrake is particularly dangerous for its ability to target banking information, often intercepting two-factor authentication codes and other sensitive financial data.

How To Stay Safe?

Android users are advised to:

• install apps only from reputable publishers,
• review user comments before downloading,
• avoid granting permissions that seem unnecessary for the app's functionality,
• ensure that Google Play Protect  is always enabled.

We Can Help You!

Simply stay safe with Redamp.io!

Our application can recognize potentially malicious or dangerous applications and easily show them to you.