In recent developments, researchers at Kaspersky Lab have uncovered a new version of the Mandrake Android malware, posing significant threats to global users. Distributed through the Google Play Store from 2022 to 2024, this sophisticated malware has masqueraded under the guise of five different applications, reaching at least 32,000 downloads across multiple countries. Notably, Mandrake’s previous detailed analysis by Bitdefender in May 2020 highlighted its capability to remain undetected for four years, marking it as a highly elusive and dangerous spyware.
Evolution of Mandrake: From Covert Operations to Global Threat
Mandrake’s resurgence in 2024 is characterized by its enhanced obfuscation techniques designed to evade Google Play Store checks and complicate malware analysis. This latest version continues to exploit vulnerabilities, allowing attackers to steal data from infected devices, record and transmit the screen activities in real-time, and execute user actions remotely. Furthermore, the malware can download additional malicious software onto the device, escalating its threat level.
In April 2024, Kaspersky Lab identified a suspicious sample that revealed itself as a new iteration of Mandrake. The malware’s standout feature was the implementation of additional obfuscation layers, making it harder for security measures to detect and analyze.
Distribution Channels and Global Impact
Mandrake infiltrated devices through five applications available on Google Play:
- A cryptocurrency exchange rate monitoring app
- Two gaming apps
- An astronomical exploration service
- File-sharing solutions
The cumulative download count exceeded 32,000, with the majority occurring in Canada, Germany, Italy, Mexico, Spain, Peru, and the United Kingdom. The most recently updated of these apps, removed from Google Play by the end of March 2024, was last updated on March 15, 2024.
Here is a detailed breakdown of the infected applications:
Package Name | Application Name | MD5 | Developer | Publication Date | Last Update Date | Download Count |
---|---|---|---|---|---|---|
com.airft.ftrnsfr | AirFS | 33fdfbb1acdc226eb177eb42f3d22db4 | it9042 | 28 April 2022 | 15 March 2024 | 30,305 |
com.astro.dscvr | Esploratore astronomico | 31ae39a7abeea3901a681f847199ed88 | shevabad | 30 May 2022 | 6 June 2023 | 718 |
com.shrp.sght | Ambra | b4acfaeada60f41f6925628c824bb35e | kodaslda | 27 February 2022 | 19 August 2023 | 19 |
com.cryptopulsing.browser | Criptopulsazione | e165cda25ef49c02ed94ab524fafa938 | shevabad | 2 November 2022 | 6 June 2023 | 790 |
com.brnmth.mtrx | Matrice cerebrale | — | kodaslda | 27 April 2022 | 6 June 2023 | 259 |
According to VirusTotal, as of July 2024, none of these applications were detected as malicious by any security solution.
Technical Analysis: Unmasking Mandrake’s Sophistication
The analysis of the Mandrake malware, especially the AirFS app, revealed its intricate multi-stage operation involving a dropper, downloader, and kernel phases, mirroring the previous Mandrake versions documented by Bitdefender. However, a notable difference in this campaign was the concealment of the initial malicious activity within the native library libopencv_dnn.so
, which is significantly harder to analyze and detect compared to .dex
files.
To further complicate detection, the native library was heavily obfuscated using the OLLVM obfuscator, primarily tasked with decrypting and loading the second stage (bootloader). With Android 13’s introduction of restricted settings that prevent apps not downloaded from the official store from directly requesting dangerous permissions, Mandrake adapted by using a package installer “session” program for installation.
Additionally, Mandrake’s new version features advanced sandbox detection, debugging tools identification, and capabilities to determine the user’s country and mobile operator. The malware can also “see” the set of installed applications, with a significant increase in emulation checks to prevent execution in analysis environments.
In deep…..
A Silent Threat in the Digital Marketplace: The AirFS Malware Campaign
In the ever-evolving landscape of cyber threats, the AirFS malware campaign stands as a stark reminder of the ingenuity and persistence of cybercriminals. This meticulously designed malware, disguised as a benign file-sharing app, operated undetected on Google Play for two years, amassing over 30,000 downloads before its malevolent nature was exposed. This article delves deep into the intricacies of the AirFS malware, its infection chain, evasion techniques, and the broader implications for cybersecurity.
The Disguised Threat: AirFS on Google Play
AirFS presented itself as a straightforward file-sharing application, luring users with promises of convenient file transfers. However, user reviews hinted at underlying issues, with complaints about non-functionality and data theft surfacing sporadically. Despite these warnings, the app managed to evade detection and removal from the Google Play Store, underscoring the sophistication of its design and the challenges faced by app store security mechanisms.
The Infection Chain: A Multi-Stage Attack
The AirFS malware operates through a complex multi-stage infection chain, reminiscent of previous Mandrake campaigns but with notable advancements. The infection begins with a dropper stage, which in earlier versions was embedded within the application’s DEX file. In the latest iteration, the malicious logic is concealed within a native library, libopencv_dnn.so, complicating analysis and detection efforts.
Upon execution, the native library decrypts the next stage, known as the loader, from the assets/raw folder. This stage is heavily obfuscated using the OLLVM obfuscator, further hindering detection. The loader then decrypts and executes the core component, which houses the primary malicious functionalities.
Obfuscation and Evasion Techniques
The developers of AirFS have implemented sophisticated obfuscation and evasion techniques to ensure the malware’s longevity and stealth. The first-stage native library is obfuscated, and its primary function is to decrypt and load the second stage. The second stage employs additional obfuscation and evasion tactics, including environment checks to detect emulators, rooted devices, and security tools like Frida.
Second-stage commands:
Command | Description |
start | Start activity |
cup | Set wakelock, enable Wi-Fi, and start main parent service |
cdn | Start main service |
stat | Collect information about connectivity status, battery optimization, “draw overlays” permission, adb state, external IP, Google Play version |
apps | Report installed applications |
accounts | Report user accounts |
battery | Report battery percentage |
home | Start launcher app |
hide | Hide launcher icon |
unload | Restore launcher icon |
core | Start core loading |
clean | Remove downloaded core |
over | Request “draw overlays” permission |
opt | Grant the app permission to run in the background |
The malware’s evasion techniques extend to its communication protocols. All C2 (Command and Control) communications are encrypted using a custom JSON-like serialization format and an AES-encrypted certificate, making it difficult to intercept and analyze the network traffic. This encryption ensures that only verified clients can communicate with the C2 server, thwarting attempts to sniff network traffic.
The Core Functionality: Data Exfiltration and Control
Once fully deployed, the AirFS malware’s core functionality is centered around data exfiltration and remote control. The malware collects extensive information about the infected device, including installed applications, mobile network details, IP address, and unique device ID. This data is sent to the C2 server, which then determines whether to proceed with further stages based on the target’s relevance.
Third stage commands:
Command | Description |
start | Start activity |
duid | Change UID |
cup | Set wakelock, enable Wi-Fi, and start main parent service |
cdn | Start main service |
stat | Collect information about connectivity status, battery optimization, “draw overlays” permission, adb state, external IP, Google Play version |
apps | Report installed applications |
accounts | Report user accounts |
battery | Report battery percentage |
home | Start launcher app |
hide | Hide launcher icon |
unload | Restore launcher icon |
restart | Restart application |
apk | Show application install notification |
start_v | Load an interactive webview overlay with a custom implementation of screen sharing with remote access, commonly referred to by the malware developers “VNC” |
start_a | Load webview overlay with automation |
stop_v | Unload webview overlay |
start_i, start_d | Load webview overlay with screen record |
stop_i | Stop webview overlay |
upload_i, upload_d | Upload screen record |
over | Request “draw overlays” permission |
opt | Grant the app permission to run in the background |
The third stage, or core component, executes various commands received from the C2 server. These commands enable the malware to perform actions such as starting activities, setting wake locks, collecting connectivity status, reporting installed applications, and hiding the launcher icon. The malware can also initiate a webview overlay for screen sharing, record the screen, and automate interactions with the loaded web pages.
Data Decryption Methods
The decryption logic used by AirFS is consistent across its different stages. The malware utilizes a combination of AES encryption and custom XOR encoding to protect its data. Encrypted strings are interspersed with plain text strings, and the decryption process involves calculating the length of the string using XOR operations and then decrypting the data with the appropriate keys.
The AES key decryption process is particularly intricate, involving the division of the encrypted file into 16-byte blocks, each decrypted with AES-CFB128. This method ensures that even if parts of the encrypted data are intercepted, they cannot be easily decrypted without the correct keys and IV.
Installing Next-Stage Applications
AirFS employs a unique approach to bypass the “Restricted Settings” feature introduced in Android 13, which restricts sideloaded applications from requesting dangerous permissions. The malware uses a session-based package installer to process the installation of additional malicious APK files. This technique involves showing a notification that mimics a legitimate Google Play update, tricking users into initiating the installation process.
Sandbox Evasion and Environment Checks
The latest versions of AirFS demonstrate a significant increase in code complexity and the number of checks to evade sandbox environments. The malware detects the presence of Frida, a popular dynamic instrumentation toolkit, by calculating the CRC of all libraries and continuously monitoring for changes. It also checks for common indicators of rooted devices, such as the presence of su binaries, SuperUser.apk, Busybox, Xposed framework, and Magisk files.
Additionally, the malware verifies whether development settings and ADB (Android Debug Bridge) are enabled and checks for the presence of a Google account and Google Play application on the device. These checks ensure that the malware operates primarily on genuine user devices, minimizing the risk of detection by security analysts.
C2 Communication Protocols
The C2 communication protocols used by AirFS are designed to maintain a high level of security and stealth. The malware uses an OpenSSL static compiled library for encrypted communications, with an AES-encrypted certificate ensuring that only verified clients can establish a connection. The encrypted certificate is decrypted from the assets/raw folder, and all C2 communications are serialized in a custom JSON-like format.
The C2 server issues commands to the malware using a predefined set of opcodes, with different opcodes representing various actions. For example, request opcode 1000 is used to send device information, while response opcode 1010 instructs the malware to install the next-stage APK. This structured communication protocol allows the malware to execute a wide range of actions based on the commands received from the C2 server.
Attribution and Broader Implications
The AirFS malware campaign exhibits strong similarities to previous Mandrake campaigns, with the C2 domains registered in Russia, suggesting the involvement of the same threat actor. The persistence and sophistication of this campaign highlight the evolving nature of cyber threats and the continuous cat-and-mouse game between cybercriminals and security professionals.
The AirFS campaign underscores the importance of robust security measures, including regular updates to detection mechanisms, thorough analysis of application behavior, and the implementation of advanced threat intelligence solutions. As cybercriminals continue to develop more sophisticated malware, the need for proactive and adaptive cybersecurity strategies becomes increasingly critical.
The AirFS malware campaign represents a significant threat to Android users, demonstrating the lengths to which cybercriminals will go to evade detection and achieve their objectives. The multi-stage infection chain, advanced obfuscation and evasion techniques, and secure C2 communications employed by AirFS highlight the need for continuous vigilance and innovation in the field of cybersecurity. By understanding the mechanisms and strategies used by such sophisticated malware, security professionals can better protect users and systems from emerging threats.
Implications and Future Outlook
The discovery of Mandrake 2.0 underscores the evolving nature of malware threats and the ongoing battle between cybercriminals and security researchers. The sophisticated techniques employed by Mandrake to avoid detection highlight the need for continuous advancements in cybersecurity measures and user awareness. As malware continues to evolve, so must the strategies and technologies used to combat it, ensuring the safety and security of users worldwide.
In conclusion, the new version of Mandrake presents a formidable challenge to global cybersecurity efforts. Its ability to remain undetected for extended periods, coupled with advanced obfuscation and multi-stage operations, makes it a significant threat. Continuous vigilance, enhanced detection technologies, and international collaboration are essential in addressing and mitigating the risks posed by such sophisticated malware.