Mandrake 2.0: The New Android Threat Spreading on Google Play

0
85

In recent developments, researchers at Kaspersky Lab have uncovered a new version of the Mandrake Android malware, posing significant threats to global users. Distributed through the Google Play Store from 2022 to 2024, this sophisticated malware has masqueraded under the guise of five different applications, reaching at least 32,000 downloads across multiple countries. Notably, Mandrake’s previous detailed analysis by Bitdefender in May 2020 highlighted its capability to remain undetected for four years, marking it as a highly elusive and dangerous spyware.

Evolution of Mandrake: From Covert Operations to Global Threat

Mandrake’s resurgence in 2024 is characterized by its enhanced obfuscation techniques designed to evade Google Play Store checks and complicate malware analysis. This latest version continues to exploit vulnerabilities, allowing attackers to steal data from infected devices, record and transmit the screen activities in real-time, and execute user actions remotely. Furthermore, the malware can download additional malicious software onto the device, escalating its threat level.

In April 2024, Kaspersky Lab identified a suspicious sample that revealed itself as a new iteration of Mandrake. The malware’s standout feature was the implementation of additional obfuscation layers, making it harder for security measures to detect and analyze.

Distribution Channels and Global Impact

Mandrake infiltrated devices through five applications available on Google Play:

  • A cryptocurrency exchange rate monitoring app
  • Two gaming apps
  • An astronomical exploration service
  • File-sharing solutions

The cumulative download count exceeded 32,000, with the majority occurring in Canada, Germany, Italy, Mexico, Spain, Peru, and the United Kingdom. The most recently updated of these apps, removed from Google Play by the end of March 2024, was last updated on March 15, 2024.

Here is a detailed breakdown of the infected applications:

Package NameApplication NameMD5DeveloperPublication DateLast Update DateDownload Count
com.airft.ftrnsfrAirFS33fdfbb1acdc226eb177eb42f3d22db4it904228 April 202215 March 202430,305
com.astro.dscvrEsploratore astronomico31ae39a7abeea3901a681f847199ed88shevabad30 May 20226 June 2023718
com.shrp.sghtAmbrab4acfaeada60f41f6925628c824bb35ekodaslda27 February 202219 August 202319
com.cryptopulsing.browserCriptopulsazionee165cda25ef49c02ed94ab524fafa938shevabad2 November 20226 June 2023790
com.brnmth.mtrxMatrice cerebralekodaslda27 April 20226 June 2023259

According to VirusTotal, as of July 2024, none of these applications were detected as malicious by any security solution.

Technical Analysis: Unmasking Mandrake’s Sophistication

The analysis of the Mandrake malware, especially the AirFS app, revealed its intricate multi-stage operation involving a dropper, downloader, and kernel phases, mirroring the previous Mandrake versions documented by Bitdefender. However, a notable difference in this campaign was the concealment of the initial malicious activity within the native library libopencv_dnn.so, which is significantly harder to analyze and detect compared to .dex files.

To further complicate detection, the native library was heavily obfuscated using the OLLVM obfuscator, primarily tasked with decrypting and loading the second stage (bootloader). With Android 13’s introduction of restricted settings that prevent apps not downloaded from the official store from directly requesting dangerous permissions, Mandrake adapted by using a package installer “session” program for installation.

Additionally, Mandrake’s new version features advanced sandbox detection, debugging tools identification, and capabilities to determine the user’s country and mobile operator. The malware can also “see” the set of installed applications, with a significant increase in emulation checks to prevent execution in analysis environments.

In deep…..

A Silent Threat in the Digital Marketplace: The AirFS Malware Campaign

In the ever-evolving landscape of cyber threats, the AirFS malware campaign stands as a stark reminder of the ingenuity and persistence of cybercriminals. This meticulously designed malware, disguised as a benign file-sharing app, operated undetected on Google Play for two years, amassing over 30,000 downloads before its malevolent nature was exposed. This article delves deep into the intricacies of the AirFS malware, its infection chain, evasion techniques, and the broader implications for cybersecurity.

The Disguised Threat: AirFS on Google Play

AirFS presented itself as a straightforward file-sharing application, luring users with promises of convenient file transfers. However, user reviews hinted at underlying issues, with complaints about non-functionality and data theft surfacing sporadically. Despite these warnings, the app managed to evade detection and removal from the Google Play Store, underscoring the sophistication of its design and the challenges faced by app store security mechanisms.

The Infection Chain: A Multi-Stage Attack

The AirFS malware operates through a complex multi-stage infection chain, reminiscent of previous Mandrake campaigns but with notable advancements. The infection begins with a dropper stage, which in earlier versions was embedded within the application’s DEX file. In the latest iteration, the malicious logic is concealed within a native library, libopencv_dnn.so, complicating analysis and detection efforts.

Upon execution, the native library decrypts the next stage, known as the loader, from the assets/raw folder. This stage is heavily obfuscated using the OLLVM obfuscator, further hindering detection. The loader then decrypts and executes the core component, which houses the primary malicious functionalities.

Obfuscation and Evasion Techniques

The developers of AirFS have implemented sophisticated obfuscation and evasion techniques to ensure the malware’s longevity and stealth. The first-stage native library is obfuscated, and its primary function is to decrypt and load the second stage. The second stage employs additional obfuscation and evasion tactics, including environment checks to detect emulators, rooted devices, and security tools like Frida.

Second-stage commands:

CommandDescription
startStart activity
cupSet wakelock, enable Wi-Fi, and start main parent service
cdnStart main service
statCollect information about connectivity status, battery optimization, “draw overlays” permission, adb state, external IP, Google Play version
appsReport installed applications
accountsReport user accounts
batteryReport battery percentage
homeStart launcher app
hideHide launcher icon
unloadRestore launcher icon
coreStart core loading
cleanRemove downloaded core
overRequest “draw overlays” permission
optGrant the app permission to run in the background

The malware’s evasion techniques extend to its communication protocols. All C2 (Command and Control) communications are encrypted using a custom JSON-like serialization format and an AES-encrypted certificate, making it difficult to intercept and analyze the network traffic. This encryption ensures that only verified clients can communicate with the C2 server, thwarting attempts to sniff network traffic.

The Core Functionality: Data Exfiltration and Control

Once fully deployed, the AirFS malware’s core functionality is centered around data exfiltration and remote control. The malware collects extensive information about the infected device, including installed applications, mobile network details, IP address, and unique device ID. This data is sent to the C2 server, which then determines whether to proceed with further stages based on the target’s relevance.

Third stage commands:

CommandDescription
startStart activity
duidChange UID
cupSet wakelock, enable Wi-Fi, and start main parent service
cdnStart main service
statCollect information about connectivity status, battery optimization, “draw overlays” permission, adb state, external IP, Google Play version
appsReport installed applications
accountsReport user accounts
batteryReport battery percentage
homeStart launcher app
hideHide launcher icon
unloadRestore launcher icon
restartRestart application
apkShow application install notification
start_vLoad an interactive webview overlay with a custom implementation of screen sharing with remote access, commonly referred to by the malware developers “VNC”
start_aLoad webview overlay with automation
stop_vUnload webview overlay
start_i, start_dLoad webview overlay with screen record
stop_iStop webview overlay
upload_i, upload_dUpload screen record
overRequest “draw overlays” permission
optGrant the app permission to run in the background

The third stage, or core component, executes various commands received from the C2 server. These commands enable the malware to perform actions such as starting activities, setting wake locks, collecting connectivity status, reporting installed applications, and hiding the launcher icon. The malware can also initiate a webview overlay for screen sharing, record the screen, and automate interactions with the loaded web pages.

Data Decryption Methods

The decryption logic used by AirFS is consistent across its different stages. The malware utilizes a combination of AES encryption and custom XOR encoding to protect its data. Encrypted strings are interspersed with plain text strings, and the decryption process involves calculating the length of the string using XOR operations and then decrypting the data with the appropriate keys.

The AES key decryption process is particularly intricate, involving the division of the encrypted file into 16-byte blocks, each decrypted with AES-CFB128. This method ensures that even if parts of the encrypted data are intercepted, they cannot be easily decrypted without the correct keys and IV.

Installing Next-Stage Applications

AirFS employs a unique approach to bypass the “Restricted Settings” feature introduced in Android 13, which restricts sideloaded applications from requesting dangerous permissions. The malware uses a session-based package installer to process the installation of additional malicious APK files. This technique involves showing a notification that mimics a legitimate Google Play update, tricking users into initiating the installation process.

Sandbox Evasion and Environment Checks

The latest versions of AirFS demonstrate a significant increase in code complexity and the number of checks to evade sandbox environments. The malware detects the presence of Frida, a popular dynamic instrumentation toolkit, by calculating the CRC of all libraries and continuously monitoring for changes. It also checks for common indicators of rooted devices, such as the presence of su binaries, SuperUser.apk, Busybox, Xposed framework, and Magisk files.

Additionally, the malware verifies whether development settings and ADB (Android Debug Bridge) are enabled and checks for the presence of a Google account and Google Play application on the device. These checks ensure that the malware operates primarily on genuine user devices, minimizing the risk of detection by security analysts.

C2 Communication Protocols

The C2 communication protocols used by AirFS are designed to maintain a high level of security and stealth. The malware uses an OpenSSL static compiled library for encrypted communications, with an AES-encrypted certificate ensuring that only verified clients can establish a connection. The encrypted certificate is decrypted from the assets/raw folder, and all C2 communications are serialized in a custom JSON-like format.

The C2 server issues commands to the malware using a predefined set of opcodes, with different opcodes representing various actions. For example, request opcode 1000 is used to send device information, while response opcode 1010 instructs the malware to install the next-stage APK. This structured communication protocol allows the malware to execute a wide range of actions based on the commands received from the C2 server.

Attribution and Broader Implications

The AirFS malware campaign exhibits strong similarities to previous Mandrake campaigns, with the C2 domains registered in Russia, suggesting the involvement of the same threat actor. The persistence and sophistication of this campaign highlight the evolving nature of cyber threats and the continuous cat-and-mouse game between cybercriminals and security professionals.

The AirFS campaign underscores the importance of robust security measures, including regular updates to detection mechanisms, thorough analysis of application behavior, and the implementation of advanced threat intelligence solutions. As cybercriminals continue to develop more sophisticated malware, the need for proactive and adaptive cybersecurity strategies becomes increasingly critical.

The AirFS malware campaign represents a significant threat to Android users, demonstrating the lengths to which cybercriminals will go to evade detection and achieve their objectives. The multi-stage infection chain, advanced obfuscation and evasion techniques, and secure C2 communications employed by AirFS highlight the need for continuous vigilance and innovation in the field of cybersecurity. By understanding the mechanisms and strategies used by such sophisticated malware, security professionals can better protect users and systems from emerging threats.

Implications and Future Outlook

The discovery of Mandrake 2.0 underscores the evolving nature of malware threats and the ongoing battle between cybercriminals and security researchers. The sophisticated techniques employed by Mandrake to avoid detection highlight the need for continuous advancements in cybersecurity measures and user awareness. As malware continues to evolve, so must the strategies and technologies used to combat it, ensuring the safety and security of users worldwide.

In conclusion, the new version of Mandrake presents a formidable challenge to global cybersecurity efforts. Its ability to remain undetected for extended periods, coupled with advanced obfuscation and multi-stage operations, makes it a significant threat. Continuous vigilance, enhanced detection technologies, and international collaboration are essential in addressing and mitigating the risks posed by such sophisticated malware.


Copyright of debuglies.com
Even partial reproduction of the contents is not permitted without prior authorization – Reproduction reserved

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.