Android Malware Hidden For Years

Five rogue Android apps remained in the Google Play store for more than two years. They hosted notorious malware called Mandrake that was hidden through some creative means.

According to SecureList, the apps were titled AirFS, Amber, Astro Explorer, Brain Matrix and CryptoPulsing. The good news is that the apps had hardly any downloads, one of the reasons they attracted little attention. The real concern is whether malware distributors are using the same tactics with other apps. (Source: securelist.com)

Mandrake has been known about since 2020, though appears to have been in circulation since at least 2016. It aims to trick users with misleading documents or through bogus on-screen "tap boxes", the idea being to get additional Android permissions or even "record" somebody typing in user credentials such as passcodes. This then lets the operators carry out more severe attacks. (Source: bitdefender.com)

Japanese Death Ritual

The malware uses an unusual pattern: although it tries to spread from device to device, it only aims to actually do anything on devices of a narrowly targeted group of potential victims. These are identified using personal data accessed on the device.

The tactics include a complete block on operating in around 90 countries, most notably those in the former Soviet Union. It also had a remote switch that allowed the operators to completely delete all trace of the malware from a device. This was nicknamed seppuku after a Japanese suicide ritual.

Bugs Fixed Quickly

Mandrake has been hidden in a wide range of apps, all of which performed their advertised functions. The developers even made sure to quickly fix any bugs that users reported. The new tactics used to keep the infected apps from detection for so long were extremely technical. In the simplest terms, they involved moving the location of the malware code within the files for the app itself. This made it much harder for security tools (likely including Google's own vetting) to find and analyze the malware code.

Google has yet to comment on the rogue apps.

What's Your Opinion?

Does it matter to you if malware creators are only targeting specific victims? Do you trust sources such as Google Play to properly verify apps for security? Have you used or considered dedicated security tools on phones or tablets?