A research team at Bitvand Lab has just exposed an Android malware called Mandrake. Since 2016, it has been stealing user data. Bitdefender pointed out that its behavior is different from most common threats. Mandrake is not committed to infecting more devices, but wants to extract more data from specific users. From this point of view, this malware is quite “choosy” when selecting victims.
Like biological viruses in the real world, high infectivity means they are easier to detect. Mandrake is trying his best to hide himself, and steal the data of specific victim equipment to the extreme.
In fact, according to BitDefender’s in-depth analysis, it can be known that this malware is specifically not allowed to attack users in certain regions, including the former Soviet Union, Africa and the Middle East. Australia is highly targeted, and there have been many cases of infection in the United States, Canada and certain European countries.
Mandrake was first discovered earlier this year, but its history can be traced back to 2016. It was estimated that the virus had infected thousands of devices at the time, but it has spread to hundreds of thousands in the latest round.
The reason why the Google Play store has failed to find this malware is because Mandrake did not directly include this part of the program on the program. Only after receiving instructions will the process of loading malicious behavior be started.
In this way, it can avoid being discovered by Google in early screening. Once the payload is placed on the device, the malware can immediately steal any desired data, including login credentials for websites and applications.
Mandrake can even redraw the content on the screen, which means that even if the victim sees a “fully normal” page, he is actually granting permission and related data to the master behind the malware.
Bitdefender’s director of threat research and reporting, Bogdan Botezatu, calls it “one of the most powerful Android malware to date”, and its ultimate goal is to completely control the device and infest user accounts.
In order not to be discovered, Mandrake has been spreading in the Google Play store through various eyesights for many years, and using many different developer names to create many new applications.
In addition, in order to give the user a false impression of “trustworthiness”, the developer’s response to “serious features” is also very positive, and even some apps have active social media accounts associated with them.
However, once the malware has collected all the data, it can completely erase its traces from the device, causing the user to have no idea what they have experienced.
In view of this, we still recommend that you try to pay attention to the good reputation of the developers, and do not download apps through unreliable platforms.