Spyware was hidden in the Google Play Store for four years

Specialists from Bitdefender spoke about a malicious campaign in which spyware called Mandrake was hidden for four years in the Google Play Store under the guise of Coinbase, Gmail, Google Chrome browser, XE and PayPal currency conversion service, as well as Amazon applications and various banks in Australia and Germany.

The malware has a complex structure that allows its operators to avoid detection with a normal scan. Disguised as legitimate applications, Mandrake allowed its operators to monitor virtually all of the victim’s actions on the mobile device. Once the victim installed the malicious application, the download component downloaded the malware to the device.

Unlike traditional downloaders, Mandrake downloaders are able to remotely activate Wi-Fi, collect information about the device, hide their presence and notifications, and automatically install new applications. Components of one of the Mandrake loaders presented to users under the guise of CAPTCHA helped the malicious program to avoid detection. They could determine whether the program was running on a virtual machine or emulator.

The malware installation of Mandrake allowed the target device to be completely compromised, providing administrator privileges to send all incoming SMS messages to the malicious operators’ server or a specified number, send texts, make calls, steal contact list information, activate and record GPS coordinates, steal Facebook accounts and financial applications, record a screen and initiate a factory reset to erase all user data and the malware itself in the process.

According to experts, the number of victims can be in the tens of thousands, but in each case the attack was initiated by the operators, not fully automated, as many families of malicious programs do.

Experts analyzed developer accounts in the Google Play Store related to the malware and identified a Russian freelance developer hiding behind a network of fake company web sites, stolen identity cards and email addresses, as well as fake job ads in North America.