Redesigned malware revived on Android
Tip: Always use antivirus, firewall, and content blockers on devices wherever possible. It’s what I do, and for clients.
The Mandrake family of malware targeting Android devices has its newest generation carrying on its tradition of using complex methods to evade detection.
From https://arstechnica.com/security/2024/07/mysterious-family-of-malware-hid-in-google-play-for-years/:
[The] apps reappeared in 2022 and went unnoticed until now. Besides a new round of decoy apps, the Mandrake operators also introduced several measures to better conceal their malicious behavior, avoid analysis from “sandboxes” used by researchers to identify and study malware, and combat malware protections introduced in recent years.
Of course, most antivirus software is only as good as its definitions, and ability to block operations by malware. The point is to use layers of protection, e.g., firewalls and content blockers, to help prevent malware from communicating and transmitting the information they steal, typically user credentials, including for cryptocurrency and other accounts. And in this case, most major malware detection services did not flag the apps containing the latest Mandrake variants. These apps were also disguised as cryptocurrency apps themselves.
This newest generation stored the malware code in the native library libopencv_dnn.so. Doing so added more obfuscation than before, because these native libraries are harder to inspect. On top of that, the Mandrake apps obfuscated the code within the native library using a different, particularly complex obfuscator, a compilation suite known as O-LLVM.
The upside is that this malware was selective. Even when installed, it would not activate except when a series of conditions was met. Earlier generations of Mandrake, for example, were designed not to function in 90 countries, including former states of the USSR, and only for very narrowly targeted users.
The upshot is that:
- Always use a combination of antivirus, firewall, and content blockers.
- Do not download just ‘any’ app and install it.
- Keep the number of apps installed on devices to the minimum necessary.
- Even if an app does not contain malicious code, it is better, as a general rule, to not install or use an app whose functionality one can access through a browser. Apps across ecosystems are far too often loaded with user tracking, ads, and telemetry, which are used to build a profile about the user and then used for marketing, more ads, and often contracted out for acquisition and use by third parties.
