[ad_1]
According to a new Bitdefender report, a variety of recently discovered Android spyware lurked in the Google Play Store disguised as a Coinbase cryptocurrency wallet, among other things, for up to four years.
The malware, named Mandrake by the threat intelligence agency, featured a three-part structure that allowed its operators to evade detection by routine Google scanning.
Starting with a harmless-looking dripper hosted at the Google Play store, disguised as one of a number of legitimate apps, Mandrake allowed its Russian operators to spy on virtually everything unsuspecting targets were doing on their mobile phone.
“The crew could be based in Russia or Kazakhstan,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender. Register.
The Mandrake malware … fully compromised the target device, granting device administrator privileges to forward all incoming SMS messages to the operator’s server or a specific number, send text messages, make calls, steal information from the contact list, activate and record GPS location, steal Facebook and financial app credentials, record screen and more …
In addition to posing as Coinbase, Mandrake’s operators disguised their malware as apps for Amazon, Gmail, the Google Chrome browser, various Australian and German banks, the XE currency conversion service, and PayPal. Once the malicious application was downloaded by a victim, the eyedropper component, at a point determined by the operators, would download the second stage, the loader.
Even the eyedroppers were able to remotely enable Wi-Fi, collect device information, hide their own presence by hiding notifications, and automatically installing new applications. The anti-analysis components in a particular variety of Mandrake eyedroppers, introduced to users as CAPTCHA, helped the malware evade investigators’ scrutiny by detecting whether it was running on a virtual machine or emulator.
In turn, the loader components would download and install the main Mandrake malware. This fully compromised the target device, granting device administrator privileges to forward all incoming SMS messages to the operator’s server or a specific number, send text messages, make calls, steal contact list information, activate and record location GPS, steal Facebook and financial application credentials, record screen and, icing on the cake, “start the factory reset [to] erase all user data, “cleaning the malware itself in the process.
“We assume that the number of victims is in the count of tens of thousands, but we do not know how many for sure,” Botezatu told us. Bitdefender speculated that each attack during the four-year period was human-driven rather than fully automated, as are many malware families that steal money.
Bitdefender tracked dropper-linked Google Play Store developer accounts and identified a Russian independent developer, hiding behind a network of fake company websites, stolen identities and fake email addresses and job ads in North America .
In-depth spyware is normally the exclusive property of state-backed agencies, or companies that sell shady products to such agencies and law enforcement.
Last year, ESET discovered open source spyware targeting Balouch people from the Afghanistan and Pakistan region, while a 2017 Black Hat presentation went into detail about efforts to clean up the Google Play Store of surveillance malware. government of the same type as Mandrake. Despite these efforts, however, stalkerware, of the merely criminal type, rather than espionage, continues to linger in the store, which is allegedly being vetted by Google.
However, even the best automated scan cannot detect every new threat from certain governments. ®
Sponsored:
Forrester builds a portfolio of digital experiences
