Mandrake Android Malware Stole User Data for Years Undetected

Summary

Mandrake, a malware targeting Android devices, circulated undiscovered for at least four years. The malware’s many capabilities include stealing account credentials, recording activity displayed on the screen, and GPS tracking. The threat actor behind the malware appears to specifically target certain valuable users with the intent to take over their devices and compromise their accounts. The malware is delivered to the device in multiple stages. First, an innocuous mobile app found in the Google Play store is installed on the device. Then, the app tricks the user into granting excessive permissions by displaying what appears to be a request to accept the End-User License Agreement. In the background, however, accepting the agreement grants the app permissions that provide the threat actor with complete control over the device. After the malware is downloaded and steals the desired information, a kill-switch is engaged that wipes any evidence of Mandrake from the device. While the initial targets were located in Australia, devices around the world have been compromised.

Recommendations

The NJCCIC recommends Android users research app developers and read user reviews prior to installing. It is still highly advised to only download apps from official app stores. Android users are encouraged to review app permissions by opening their device’s settings and navigating to a section often titled “App Permissions,” “Permissions Manager,” or similar. The Bitdefender whitepaper provides additional technical details on the Mandrake malware.