Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

Conscience doth make cowards of us all. -- Shakespeare

comp / comp.mobile.android / 5 Mandrake spyware apps removed from Google Play

SubjectAuthor
o 5 Mandrake spyware apps removed from Google PlayIsaac Montara

1
Subject: 5 Mandrake spyware apps removed from Google Play
From: Isaac Montara
Newsgroups: comp.mobile.android
Organization: A noiseless patient Spider
Date: Wed, 31 Jul 2024 03:04 UTC
Path: eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: IsaacMontara@nospam.com (Isaac Montara)
Newsgroups: comp.mobile.android
Subject: 5 Mandrake spyware apps removed from Google Play
Date: Tue, 30 Jul 2024 23:04:55 -0400
Organization: A noiseless patient Spider
Lines: 38
Message-ID: <v8c9kn$1drgn$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 31 Jul 2024 05:04:56 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="525426df4709f55c47b675502caf7c44";
logging-data="1502743"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18Cmc9TNerB04YS8A4oDPQk"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Cancel-Lock: sha1:2t/Kzn+zh1p2kWvYB46Nln189dg=
Content-Language: en-US
View all headers

https://arstechnica.com/security/2024/07/mysterious-family-of-malware-hid-in-google-play-for-years/

Besides a new round of decoy apps, the Mandrake operators also introduced
several measures to better conceal their malicious behavior, avoid analysis
from "sandboxes" used by researchers to identify and study malware, and
combat malware protections introduced in recent years.

A key feature of the latest generation of Mandrake is multiple layers of
obfuscation designed to prevent analysis by researchers and bypass the
vetting process Google Play uses to identify malicious apps. All five of
the apps Kaspersky discovered first appeared in Play in 2022 and remained
available for at least a year. The most recent app was updated on March 15
and removed from the app market later that month. As of earlier this month,
none of the apps were detected as malicious by any major malware detection
provider.

One means of obfuscation was to move malicious functionality to native
libraries, which were obfuscated. Previously, Mandrake stored the malicious
logic of the first stage in what's known as the application DEX file, a
type of file that's trivial to analyze. By switching the location to the
native library libopencv_dnn.so, the Mandrake code is harder to analyze and
detect because the native libraries are more difficult to inspect. By then
obfuscating the native library using the OLLVM obfuscator, Mandrake apps
were even more stealthy.

The chief purposes of Mandrake are to steal the user's credentials and
download and execute next-stage malicious applications. But these actions
are carried out only in later-stage infections that are served only to a
small number of carefully selected targets. The primary method is by
recording the screen while a victim is entering a passcode. The screen
recording is initiated by a control server sending commands such as
start_v, start_i, or start_a.

com.airft.ftrnsfr AirFS
com.astro.dscvr Astro Explorer
com.shrp.sght Amber
com.cryptopulsing.browser CryptoPulsing
com.brnmth.mtrx Brain Matrix kodaslda

1

rocksolid light 0.9.8
clearnet tor