New version of sophisticated spyware remained undetected on Google app store for two years

A sophisticated cyberespionage tool known as Mandrake has been found in five apps that were available for download on Google Play for nearly two years, targeting users in Canada, Germany, Italy, Mexico, Spain, Peru and the U.K.

According to a report published by cybersecurity firm Kaspersky on Monday, these apps have been installed more than 32,000 times and were not detected by any security tools.

Mandrake was previously described as “an incredibly sophisticated piece of Android malware.” It was discovered by researchers from the Romania-based cybersecurity firm Bitdefender in 2020 but had been active in the wild for at least four years prior to that.

At that time, researchers estimated the number of victims in the “hundreds of thousands” throughout the four-year period.

Earlier in April, researchers at Moscow-based Kaspersky discovered a “suspicious sample” that they claim is a new version of Mandrake, which uses more advanced techniques to remain undetected.

The latest Mandrake version was hidden inside five Android apps — including a service to learn astronomy, a memory training app, a file-sharing service, a gaming app and a platform for crypto enthusiasts. The apps were removed from the Google Play store by the end of March 2024 after being available there for almost two years.

Mandrake collects information about the device in several stages. First, it gathers data about the device, including a list of installed applications, mobile network data, IP address and a unique device identifier.

If, based on this information, the attackers find the victim interesting, they run the malware’s main component, which contains its advanced functionality such as turning WiFi on the device, starting screencasting with remote access and accessing information about user accounts and credentials on chosen web pages, according to Kaspersky.

The malware operators avoid countries where compromised devices won’t bring them any return of interest. During its previous campaigns, for example, Mandrake avoided victims in low-income states, African nations, former Soviet Union countries and predominantly Arabic-speaking nations, according to Bitdefender.

It is not clear how the hackers use the information they obtain during the attacks or what damage the operations have caused. The threat actor behind Mandrake wasn’t identified, but reports from Kaspersky and Bitdefender have linked the malware to Russia.

Kaspersky said its new findings suggest that Mandrake is “constantly evolving, improving its methods of disguise, and bypassing new defense mechanisms.”

The fact that the malware remained undetected on Google Play for so many years “indicates the high qualification of the attackers, as well as the fact that increasing restrictions and checks on applications before they are published in markets lead to more complex threats penetrating official app stores and making them more difficult to detect,” researchers said.

A spokesperson for Google said that the company is aware of the apps and has rolled out improvements to help combat anti-evasion techniques.

"Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services," the spokesperson said. "Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."