Security researchers have warned of an “incredibly sophisticated” Android hacking campaign that is all the more dangerous because it is highly selective in whom it attacks.
The Mandrake malware “puts in significant effort not to infect victims”, computer security firm Bitdefender said in an advisory.
The malware, which was triggered by several innocent-seeming apps on the Google Play store, “cherry-picks” only a few devices as targets for malicious code designed to take over the system and steal information, Bitdefender said.
“This is likely because its operators know that they increase their chances of being called out with every device they infect, so they have instructed the malware to avoid countries where compromised devices won’t bring them any return of interest,” researchers said.
The malware uses “advanced manipulation tactics” to trick users into granting far-reaching permissions, for instance re-drawing what users see on the screen.
While users think they are merely carrying out a series of taps to accept an End-User Licence Agreement, they are actually granting “extremely powerful permissions” with which “the malware gets complete control of the device and data on it”.
The malware allows its controllers to collect any data from a compromised device, including account credentials, to secretly record what’s happening on the screen and to montior the user’s location via GPS, amongst other functions.
Mandrake has been active since at least 2016, and initially targeted Australian users before moving on to areas including Europe and the Americas.
The current attack campaign has probably compromised in the tens of thousands of users, and in the hundreds of thousands over the past four years, Bitdefender said.
The malware made its way onto Android devices via several apps on Google Play that appeared to be made by different developers, some targeting specific countries.
The apps were ad-free and received regular updates, and some even had social media accounts, Bitdefender said.
All the identified Mandrake apps have now been removed from Google Play, but researchers said the malware’s developers remain active and are likely to publish other apps with which to carry out attacks.
The initial apps carried no malicious code, which then downloaded a second-stage app with more capabilities – but only when expressly directed to do so, in order to evade the Play Store’s security controls.
Bitdefender said it hasn’t determined who is behind Mandrake, but noted that it specifically avoids infecting users located in former Soviet Union countries such as the Ukraine, Belarus, Kyrgyzstan and Uzbekistan, as well as countries in Africa and the Middle East.
This is a tactic frequently employed by hackers to avoid attracting the attention of law enforcement authorities within their own countries.
Bitdefender advised users to avoid downloading apps from unknown sources.
Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…
Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…
Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…
Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…
Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal
Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…