A recently discovered strain of Android spyware hidden on the Google Play Store in a disguise as cryptocurrency wallet Coinbase, and many other apps, for about four years now, as per a new report by Bitdefender.
The malware was named Mandrake by the threat intelligence agency and had a three-part structure that enabled its operators to escape detection by Google Play Protect. Acting as a clean-looking app hosted on the Google Play Store, Mandrake allowed its operators to watch everything unsuspecting people did on their mobile devices.
Mandrake – How it Works
As well as disguising as Coinbase, Mandrake programmers concealed their malware as apps for Amazon, Gmail, Google Chrome, numerous Australian and German banks, and currency conversion services XE and Paypal. As soon as the malicious app was downloaded, the dropper element in the malware would download the second component, the loader.
The operators were able to remotely activate Wi-Fi, collect device data, conceal their own presence by hiding notifications, and auto-install new apps. The now fully compromised device would enable the hackers to access to all the SMS messages, send texts, make calls, steal contact list information, activate and record GPS data, steal Facebook and financial app credentials, record the screen, and initiate a factory reset to delete all the user data, which would also clean the malware.
Bitdefender traced the Google Play Store developer accounts connected to the operators and identified a freelance developer, concealing themselves behind a network of fake company websites, stolen identities, email addresses, and fake job ads in the North America.
Detailed spyware is usually the preserve of government-backed agencies, or companies selling shady goods to such agencies and security forces. Last year ESET found open-source spyware, while a 2017 Black Hat presentation detailed attempts to cleanse the Google Play Store of government-surveillance malware of the same kind as Mandrake.
In spite of those efforts, however, stalkerware, of the criminal, rather than the espionage type, is being kept on the Play store, which is allegedly vetted by Google.
However, even the most advanced automated scanning cannot identify every new threat from determined governments.