Malware found on Google Play looks innocent at first, then downloads additional capabilities that allow it to take over targeted devices
Security researchers have warned of an “incredibly sophisticated” Android hacking campaign that is all the more dangerous because it is highly selective in whom it attacks.
The Mandrake malware “puts in significant effort not to infect victims”, computer security firm Bitdefender said in an advisory.
The malware, which was triggered by several innocent-seeming apps on the Google Play store, “cherry-picks” only a few devices as targets for malicious code designed to take over the system and steal information, Bitdefender said.
“This is likely because its operators know that they increase their chances of being called out with every device they infect, so they have instructed the malware to avoid countries where compromised devices won’t bring them any return of interest,” researchers said.
‘Advanced manipulation tactics’
The malware uses “advanced manipulation tactics” to trick users into granting far-reaching permissions, for instance re-drawing what users see on the screen.
While users think they are merely carrying out a series of taps to accept an End-User Licence Agreement, they are actually granting “extremely powerful permissions” with which “the malware gets complete control of the device and data on it”.
The malware allows its controllers to collect any data from a compromised device, including account credentials, to secretly record what’s happening on the screen and to montior the user’s location via GPS, amongst other functions.
Mandrake has been active since at least 2016, and initially targeted Australian users before moving on to areas including Europe and the Americas.
The current attack campaign has probably compromised in the tens of thousands of users, and in the hundreds of thousands over the past four years, Bitdefender said.
The malware made its way onto Android devices via several apps on Google Play that appeared to be made by different developers, some targeting specific countries.
The apps were ad-free and received regular updates, and some even had social media accounts, Bitdefender said.
All the identified Mandrake apps have now been removed from Google Play, but researchers said the malware’s developers remain active and are likely to publish other apps with which to carry out attacks.
The initial apps carried no malicious code, which then downloaded a second-stage app with more capabilities – but only when expressly directed to do so, in order to evade the Play Store’s security controls.
Bitdefender said it hasn’t determined who is behind Mandrake, but noted that it specifically avoids infecting users located in former Soviet Union countries such as the Ukraine, Belarus, Kyrgyzstan and Uzbekistan, as well as countries in Africa and the Middle East.
This is a tactic frequently employed by hackers to avoid attracting the attention of law enforcement authorities within their own countries.
Bitdefender advised users to avoid downloading apps from unknown sources.