Warning over Mandrake malware infecting Android devices since 2016
The malware avoids infecting every Android device, and rather focuses on hand-picked targets
Researchers at cyber security firm Bitdefender Labs have discovered a new, sophisticated piece of malware that has been stealing data from Android devices since 2016.
According to researchers, this malware, dubbed Mandrake, is different from other commonly-found malware as it doesn't try to infect every Android device, but rather hand-picks potential targets before stealing valuable information from them.
The malware is designed to avoid infecting devices in certain regions, including Africa, former Soviet Union countries and the Middle East.
This is likely because its operators know that their chances of being identified increase with each new device they infect, so they are currently focusing on only those regions from where they have better chances of earning lots of money.
Australia is once such region where the malware was found infecting thousands of Android smartphones. Moreover, the activities of the group have also been noticed in the US, Canada, and Europe.
The researchers said the group behind Mandrake has been spreading the malware through a variety of apps available on the Play Store for many years. The gang also adds new apps on Play Store from time to time under different developer names.
To fool users into believing that the apps are trustworthy, their developers often respond to users' comments and have also created dedicated pages on various social media platforms.
To avoid detection in the Play Store, the operators don't include the malware in the apps themselves. Instead, they use a multi-stage process to infect the target device.
Once downloaded and installed by a user, the app contacts the server to download a loader, which enables operators to take control of the device manually.
"The malware operates in stages, with the first stage being a benign app with no malicious behaviour, other than the ability to download and install a second-stage payload when expressly directed to do so. It is safe to say that its operator won't trigger this malicious behaviour while running in Google's analysis environment," the researchers at Bitdefender Labs explained.
The malware then tricks the user into granting it with additional permissions on the device.
Once all valuable data is collected from the device, Mandrake completely removes itself to prevent detection by anti-malware programmes.