Kaspersky researchers have identified a new spyware campaign distributing Mandrake malware through Google Play under the guise of legitimate apps related to cryptocurrency, astronomy, and utility tools. Kaspersky experts have discovered five Mandrake applications on Google Play, which were available for two years, with more than 32,000 downloads. The latest samples feature advanced obfuscation and advanced evasion techniques, enabling them to remain undetected by security vendors.
First identified in 2020, Mandrake spyware is a sophisticated Android espionage platform that has been active since at least 2016. In April 2024, Kaspersky researchers uncovered a suspicious sample, suggesting a new version of Mandrake with enhanced functionality. These new samples feature advanced obfuscation and evasion techniques, including shifting malicious functions to obfuscated native libraries using OLLVM, implementing certificate pinning for secure communication with command and control (C2) servers, and conducting extensive checks to detect whether Mandrake is operating on a rooted device or within an emulated environment.
The key distinguishing feature of the new Mandrake variant is the addition of advanced obfuscation techniques designed to bypass Google Play’s security checks and hinder analysis. Company’s experts identified five applications containing the Mandrake spyware, collectively downloaded more than 32,000 times. These apps, all published on Google Play in 2022, were available for download for at least a year. They were presented as a file-sharing app via Wi-Fi, an astronomy services app, an Amber for Genshin game, a cryptocurrency app and app with logic puzzles. As of July 2024, none of these apps have been detected as malware by any vendor, according to VirusTotal.
While these malicious applications are no longer available in Google Play, they were available in a wide range of countries with the majority of downloads happening in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
Considering the similarities of the current and previous campaign with C2 domains registered in Russia, we assume with high confidence that the threat actor is the same as stated in the Bitdefender’s first detection report.
“After evading detection for four years in its initial versions, the latest Mandrake campaign remained undetected on Google Play for an additional two years. This demonstrates the advanced skills of the threat actors involved. It also highlights a troubling trend: as restrictions tighten and security checks become more rigorous, the sophistication of threats penetrating official app stores increases, making them more challenging to detect,” comments Tatyana Shishkova, Lead Security Researcher at Kaspersky’s GReAT (Global Research and Analysis Team).
To learn more about new Mandrake spyware campaign, visit
To stay safe from threats like Mandrake spyware, Kaspersky experts suggest considering the following tips:
- Use Official Marketplaces: Download apps and software from reputable and official sources. Avoid third-party app stores, as the risk that they may host malicious or compromised apps is higher. Be aware that even official platforms can host malicious apps. Always check reviews and ratings before downloading.
- Use reputable security software: Install and maintain reputable antivirus and anti-malware software on your devices. Regularly scan your devices for potential threats and keep your security software up to date. Kaspersky Premium protects its users from known and unknown threats.
- Educate yourself about common scams: Stay informed about the latest cyber threats, techniques, and tactics. Be cautious of unsolicited requests, suspicious offers, or urgent demands for personal or financial information.
- Third-party software from popular sources often comes with zero warranty. Keep in mind that such apps can contain malicious implants, e. g. because of supply chain attacks.