Mysterious family of malware hid in Google Play for years
A mysterious family of Android malware with a demonstrated history of effectively concealing its myriad spying activities has once again been found in Google Play after more than two years of hiding in plain sight.
The apps, disguised as file-sharing, astronomy, and cryptocurrency apps, hosted Mandrake, a family of highly intrusive malware that security firm Bitdefender called out in 2020. Bitdefender said the apps appeared in two waves, one in 2016 through 2017 and again in 2018 through 2020. Mandrake's ability to go unnoticed then was the result of some unusually rigorous steps to fly under the radar. They included:
- Not working in 90 countries, including those comprising the former Soviet Union
- Delivering its final payload only to victims who were extremely narrowly targeted
- Containing a kill switch the developers named seppuku (Japanese form of ritual suicide) that fully wiped all traces of the malware
- Fully functional decoy apps in categories including finance, Auto & Vehicles, Video Players & Editors, Art & Design, and Productivity
- Quick fixes for bugs reported in comments
- TLS certificate pinning to conceal communications with command and control servers.
Bitdefender estimated the number of victims in the tens of thousands for the 2018 to 2020 wave and probably hundreds of thousands throughout the full 4-year period."