1 min read

Mandrake - owning Android devices since 2016

Bogdan BOTEZATU

May 14, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Mandrake - owning Android devices since 2016

In early 2020 we identified a new, highly sophisticated Android espionage platform that had been active in the wild for at least 4 years. We named the threat Mandrake as the actor(s) behind it used names of toxic plants, or other botanical references, for major development branches: e.g. Briar, Ricinus or Nerium.

An investigation by Bitdefender researchers Marius TIVADAR, Rickey GEVERS,  Rareș BLEOTU,  Alin Mihai BARBATEI,  Bíró BALÁZS and Claudiu COBLIȘ

An incredibly sophisticated piece of Android malware

Unlike run of the mill malware, Mandrake puts in significant effort NOT to infect victims. It cherry-picks a handful of devices it gets installed on for further exploitation. This is likely because its operators know that they increase their chances of being called out with every device they infect, so they have instructed the malware to avoid countries where compromised devices won’t bring them any return of interest.

The malware also uses advanced manipulation tactics to bait users. For instance, it re-draws what the user sees on the screen to hijack taps. What the users perceive as accepting an End-User License Agreement is actually a complex series of requesting and receiving extremely powerful permissions. With those permissions, the malware gets complete control of the device and data on it.

If you want to learn more about Mandrake, the whitepaper below provides insight into how the malware operates, what its end goal seems to be and how it successfully managed to stay undetected in an official app store for more than 4 years.

Download the whitepaper

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Digitally-Signed Rootkits
are Back – A Look at
FiveSys and Companions Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions
Bitdefender

October 20, 2021

1 min read
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Bogdan BOTEZATUVictor VRABIE
9 min read
Debugging MosaicLoader, One Step at a Time Debugging MosaicLoader, One Step at a Time
Janos Gergo SZELESBogdan BOTEZATU
1 min read