A clandestine group of Android malware, notorious for its expertise in stealthily executing surveillance activities, has resurfaced on Google Play after remaining hidden for over two years.
The malicious applications masqueraded as file-sharing tools, astronomy utilities, and cryptocurrency platforms. They were found to host Mandrake—an aggressive form of malware spotlighted by cybersecurity experts at Bitdefender back in 2020. According to Bitdefender’s findings, these apps emerged in two distinct waves; the first from 2016 to 2017 and then again between 2018 and 2020. The evasiveness of Mandrake during its earlier presence can be attributed to several sophisticated methods employed by its creators such as:
- Not functioning within 90 nations, notably those within the former Soviet Union
- Unleashing harmful features only on highly specific targets
- Incorporating a self-destruct mechanism termed “seppuku,” derived from Japanese ritual suicide, that completely eradicates all signs of infection
- Offering fully operational fake applications across diverse categories like finance, vehicles, video playback & editing, art & design, and productivity tools
- Swiftly addressing bugs reported via user comments
- Utilizing TLS certificate pinning, thereby masking communications with command-and-control servers.
Stealthy Operations Unveiled
Bitdefender’s reports suggest that the number of affected users during the second wave between 2018 and 2020 may have reached into the tens of thousands—potentially accumulating “hundreds of thousands” impacted users throughout the entire four-year span.
Read more content | Engage with comments section
