BleepingComputer reports that five Android apps cumulatively downloaded more than 32,000 times from the Google Play Store have been leveraged to facilitate the distribution of a stealthier iteration of the Mandrake Android spyware since 2022.
Most popular of the Mandrake-dropping apps was AirFS- File sharing via Wi-Fi with over 30,000 downloads, while Canada, Germany, and Italy had the most downloads of the apps, all of which have already been removed from Google Play, a Kaspersky report showed. Installation of the malicious apps was followed by the native library's exporting of a second-stage loader decryptor and the establishment of command-and-control server communications before the eventual delivery of the spyware.
Aside from enabling data gathering and screen recording, Mandrake could also facilitate user interaction simulations, command execution, app installation, and file management while further bypassing detection by monitoring for the presence of Frida security toolkit and searching for binaries related to device root status, according to Kaspersky researchers.
