Spyware Undetected on Google Play Store for Years

Five apps on the Google Play Store have been spreading a sophisticated spyware known as Mandrake for years, according to a report from cybersecurity firm Kaspersky. The spyware, which has been active since at least 2020, re-emerged in 2022 after seemingly disappearing for a few years. It was hidden within seemingly innocuous applications that have since been downloaded more than 32,000 times.

This latest iteration of the spyware was undetected for two years, staying hidden within Google Play Store apps until March 2024. Mandrake is a highly advanced piece of spyware designed to steal sensitive data, monitor user activity, and even control infected devices remotely.

The spyware's return was first flagged by Kaspersky, which identified the malicious apps and detailed the sophisticated techniques used to avoid detection. In their report, Kaspersky noted, "The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries."

The most popular infected app was AirFS, a file-sharing application with over 30,000 downloads. Other apps, such as Astro Explorer, Amber, CryptoPulsing, and Brain Matrix, also contributed to the spyware’s spread, though to a lesser extent. These applications primarily targeted users in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.

The spyware operates in multiple stages, beginning with the dropper, which hides the initial malicious code, followed by a loader that decrypts and executes further malicious components, and finally, the core, which carries out the bulk of the spying activities. Bitdefender had previously analyzed Mandrake in 2020 and described it as “an incredibly sophisticated piece of Android malware”.

Google Play’s security measures, including the Play Protect feature, failed to identify and block these malicious apps until recently, raising concerns about the effectiveness of its current security protocols.

Google responded to the incident, stating that Play Protect is continuously improving to combat such threats, emphasizing that "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services."