Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Tom’s Guide
Tom’s Guide
Technology
Anthony Spadafora

This dangerous Android spyware has returned via malicious Play Store apps — delete them right now

One phone with skull and crossbones on screen among several other clean-looking phones.

Cybersecurity researchers have discovered a new version of the Mandrake Android spyware hiding in apps on the Google Play Store.

As reported by BleepingComputer, Mandrake was first discovered by Bitdefender in 2020, but before then, it had been operating in the wild since at least 2016. Since then, Kaspersky has discovered a new variant of the Android spyware that’s better at remaining undetected.

In a new report, the cybersecurity firm’s researchers explain that this new version of Mandrake managed to sneak onto the Play Store in five apps submitted back in 2022. Surprisingly, most apps remained available for at least a year, while one held out for two years before it was eventually discovered.

If you own one of the best Android phones and are worried about this resurfaced threat, here’s everything you need to know about the Mandrake spyware and how to stay safe from malware.

Delete these apps right now

At the time of writing, all malicious apps found to contain this new version of the Mandrake spyware have been removed from the Google Play Store. However, if you have any of them installed on your smartphone or one of the best Android tablets, you must manually delete them. 

Here are the apps in question, along with how many times unsuspecting Android users have downloaded them:

  • AirFS - 30,305 downloads
  • Astro Explorer - 718 downloads
  • Amber - 19 downloads
  • CryptoPulsing - 790 downloads
  • Brain Matrix - 259 downloads

Of these malicious apps, AirFS is the one that managed to evade detection the longest, and it was up on the Play Store for two years before eventually being taken down back in March of this year. According to Kaspersky, Android users mainly downloaded these apps in the U.K., Canada, Germany, Italy, Mexico, Spain and Peru.

Hiding in plain sight

(Image credit: Shutterstock)

The malicious apps spreading the Mandrake spyware do things a bit differently than your typical Android malware. Instead of putting malicious logic in an app’s DEX file, Mandrake hides its first stage in a native library called “libopencv_dnn.so” which is obfuscated using OOLVM.

Once installed on a potential victim’s Android phone, this library then exports functions that are used to decrypt the second-stage loader DEx from its assets folder and load it into memory. 

This second stage also requests to draw overlays often used in overlay attacks. However, it also loads a second native library (called “libopencv_java3.so”), which decrypts a certificate that is used for secure communications with a hacker-controlled command and control (C2) server.

Once the malicious app is connected to the hacker’s C2 server, it sends a device profile and receives its third stage, which is actually the Mandrake spyware. The spyware can perform a wide range of malicious actions such as collecting data, screen recording and monitoring, command execution, simulating swipes and taps, managing files, and even installing additional malicious apps.

The hackers behind this spyware have also devised a way to display notifications that impersonate real ones from the Play Store to trick users into side-loading additional malware through APK files. 

Just like with other dangerous Android malware strains, Mandrake abuses Android permissions to run in the background and to hide app icons so that it can sneakily operate in the background unnoticed.

How to stay safe from Android malware

(Image credit: Google)

While all five malicious apps in question have since been removed from the Play Store, cybercriminals could use new, harder-to-detect apps to continue spreading the spyware from Google’s official app store going forward.

For this reason, you always need to be careful when downloading and installing new apps on your Android devices. You want to look at reviews and ratings carefully before downloading anything. Still, as these can be faked, you should also look for external third-party reviews and video reviews that show a particular app in action before you download it.

At the same time, you also want to ensure that Google Play Protect is enabled on your smartphone or tablet since it can scan all your existing apps and any new ones you download for malware. For additional protection, though, you should also consider using one of the best Android antivirus apps alongside it.

Malicious apps have been very successful for hackers and other cybercriminals in the past, which is why this threat likely won’t be going away anytime soon despite Google’s best efforts to prevent them from ending up on the Play Store. This is why you need to be careful and do your research first before installing any new apps on your Android smartphone or tablet.

More from Tom's Guide

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.