1. Forum
  2. Usenet
  3. COMP.MOBILE.ANDROID

  • 5 Mandrake spyware apps removed from Google Play

    From Isaac Montara@21:1/5 to All on Tue Jul 30 23:04:55 2024
    https://arstechnica.com/security/2024/07/mysterious-family-of-malware-hid-in-google-play-for-years/

    Besides a new round of decoy apps, the Mandrake operators also introduced several measures to better conceal their malicious behavior, avoid analysis from "sandboxes" used by researchers to identify and study malware, and
    combat malware protections introduced in recent years.

    A key feature of the latest generation of Mandrake is multiple layers of obfuscation designed to prevent analysis by researchers and bypass the
    vetting process Google Play uses to identify malicious apps. All five of
    the apps Kaspersky discovered first appeared in Play in 2022 and remained available for at least a year. The most recent app was updated on March 15
    and removed from the app market later that month. As of earlier this month, none of the apps were detected as malicious by any major malware detection provider.

    One means of obfuscation was to move malicious functionality to native libraries, which were obfuscated. Previously, Mandrake stored the malicious logic of the first stage in what's known as the application DEX file, a
    type of file that's trivial to analyze. By switching the location to the
    native library libopencv_dnn.so, the Mandrake code is harder to analyze and detect because the native libraries are more difficult to inspect. By then obfuscating the native library using the OLLVM obfuscator, Mandrake apps
    were even more stealthy.

    The chief purposes of Mandrake are to steal the user's credentials and
    download and execute next-stage malicious applications. But these actions
    are carried out only in later-stage infections that are served only to a
    small number of carefully selected targets. The primary method is by
    recording the screen while a victim is entering a passcode. The screen recording is initiated by a control server sending commands such as
    start_v, start_i, or start_a.

    com.airft.ftrnsfr AirFS
    com.astro.dscvr Astro Explorer
    com.shrp.sght Amber
    com.cryptopulsing.browser CryptoPulsing
    com.brnmth.mtrx Brain Matrix kodaslda

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)