The Mandrake spyware, initially discovered in 2020, has recently reappeared through five suspicious apps targeting Android users. Kaspersky Lab researchers found a new version of Mandrake in the Google Play Store in April, along with five Android applications containing this malware. These infected apps have been available in the Google Play Store for two years. The new Mandrake version has been equipped with multiple overlays to evade Google Play tests, allowing threat actors to sneak at least five infected apps onto the platform in 2022. Despite containment efforts, one of the infected apps, AirFS, had over 30,000 installs, while the others had less than 1,000 installs each.
The infected applications remained on Google Play until March 2024 before being removed. The list of Android applications containing Mandrake and the number of installations reported by Kaspersky include AirFS – File sharing via Wi-Fi by it9042 (30,305 installations); Shevabad’s Astro Explorer (718 installs); Amber by kodaslda (19 installs); CryptoPulsing by shevabad (790 installs); and Brain Matrix by kodaslda (259 installs).
Kaspersky reported that threat actors use Mandrake to steal user credentials and download and execute malicious applications. The improved ability of the new Mandrake versions to conceal their true intentions enables them to persist on Google Play for an extended period.
As a protective measure, Google recommends that Android users enable Google Play Protect on their devices to guard against similar threats.
