Thousands of Android users downloaded and installed 5 malicious apps without knowing it

The notorious Mandrake Android spyware campaign has made an unexpected comeback, according to Kaspersky researchers who have been tracking its activities. A suspicious sample of malware was discovered on Google Play in April this year, which turned out to be a new version of the Malandrake virus. Further investigation revealed that 5 Android apps containing the Mandrake malware had been available on the store for over two years.

The latest iteration of Mandrake has improved its ability to evade detection by incorporating layers of obfuscation, allowing threat actors to sneak these malicious apps onto Google Play in 2022. The researchers found that most of these infected apps were installed fewer than 1,000 times, but the fake file sharing app AirFS was downloaded over 30,000 times.

Here’s a list of the 5 Mandrake-infected apps that were available on Google Play for at least a year:

* AirFS (File sharing via Wi-Fi) by it9042 – 30,305 downloads

* Astro Explorer by shevabad – 718 downloads

* Amber by kodaslda – 19 downloads

* CryptoPulsing by shevabad – 790 downloads

* Brain Matrix by kodaslda – 259 downloads

Kaspersky researchers warn that the Mandrake spyware steals user credentials and downloads additional malicious apps. The latest version of Mandrake has become more sophisticated, allowing it to evade detection for longer periods.

Two Kaspersky experts noted: “The Mandrake malware is constantly evolving, improving its methods of concealment, sandbox evasion, and bypassing new defense mechanisms. This highlights the threat actors’ advanced skills and the need for stricter controls on app publication in official marketplaces.”

Fortunately, users are protected from threats like these if they have Google Play Protect enabled on their device. Additionally, all 5 infected apps have been removed from Google Play.

Source: BGR.com