Published: July 31, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
A powerful spyware named Mandrake was recently discovered hiding in Google Play store. The spyware disguised itself in a way that kept it hidden for years from Google malware scans. Researchers discovered the spyware was hiding as harmless, legitimate apps available for download on the official store. The stealth-like spyware, or “stalkerware” has been stealing huge amounts of user data, all the while remaining undetectable. With no real way to count Mandrake’s victims over the years, experts estimate the total number is in the hundreds of thousands.
The damage Mandrake can do to victims who unknowingly download it is extensive. The spyware is considered an espionage-level government surveillance tool, something Google claims they also scan for. Mandrake tricks users into handing over all privileges of an Android device, giving the hacker total control over it–including all the data it holds. The spyware first emerged posing as Coinbase, a cryptocurrency wallet service. Added to Coinbase were spyware apps for Google Chrome browser, Amazon, Gmail, PayPal, and various banks worldwide.
Mandrake spyware stayed undetected with a three-part setup that uses a dropper instead of a downloader. Droppers hide their contents within themselves, making them immune from malware scanning despite efforts to find them. Using the dropper to disguise itself, the loader is installed. Finally, the loader components download and install the Mandrake spyware.
Once Mandrake is installed, it can do a complete data dive on a device. The spyware steals much more than the usual sensitive information including: the ability to send and receive texts; make calls; steal all Facebook and financial app credentials like passwords and account numbers; activate and record GPS data; take screen recordings; steal contact lists and really, anything else it wants to take from a device. Once it’s done pillaging, Mandrake can restore factory settings (deleting all data) and wipe any traces of itself from the device.
Google claims Mandrake has finally been removed. But experts believe that Mandrake and others like it will continue to appear under the cover of legitimate apps. All users should apply basic security checks before downloading from either Google Play or Apple App Store. Among them should include reading app reviews for any problems that others experience. Also, research the status of the app developer with sources you trust, including the Better Business Bureau. And remember, only download apps from the official app stores and never “sideload” from unofficial sites.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org