Knowledge Hub Whitepaper

Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years

Wed 29 Jul 2020

Even though similar financially motivated Android
threats such as Anubis or Ginp were discovered,
Mandrake stood in the shadow for at least 4 years.
During this time, it stole data from at least tens of
thousands of users.

“It takes special care not to infect everyone” – This
is exactly what the actor did and most likely why it
remained under the radar for 4 full years. Because of
this strategy, the actual number of infections we were
able to trace is quite low; Google Play Apps used as
droppers to infect targets have only hundreds or – in
some cases – thousands of downloads. It might even be
possible that some of the infected users won’t face an
attack at all if they present no interest to the actor.
If everything goes wrong, or interest in a victim is lost,
no worries: Mandrake has a kill-switch – a special
command called seppuku (Japanese form of ritual
suicide) that can be issued to wipe all your data and
leave no trace of malware.

During our research, we caught Mandrake red-handed
while conducting phishing attacks for several finance
and shopping applications, as follows:

● Investments trading application, CommSec- used for
“Trade and manage your investments on the go.” for
Australian companies.

● Cryptocurrency wallet applications like Lunoor
Coinbase – applications with millions of downloads.

● Amazon shopping application is also on the target
list, and even Gmail application or Google Chrome.

● We saw several Australian, Polish or German
banking applications: “ANZ Australia”,
“Commonwealth Bank of Australia”, “Bank of
Melbourne Mobile Banking”, “PLUS BANK S.A.” and
“mBank” from Poland or “DeutscheKreditbank AG”
from Germany.

● Phishing attack attempts for “BMO, Bank of
Montreal” were also observed, asking for
credentials and credit card information.

● Going even further, also “AustralianSuper” – “the
largest Australian superannuation and pension fund”
is targeted.

● Payment applications like PayPal or the “PostePay”
application from “Poste Italiane” are not left behind.

● Phishing attacks on GMail account were also
observed on our honeypots.

Download the report today by clicking on the button to the right-hand side.

Error: Contact form not found.

Send us a correction Send us a news tip