Spyware Hiding in the Google Play Store for Four Years

[НСК-СБ]

Spyware has been hiding in the Google Play Store for four years.

The malware disguised itself as various legitimate applications.

Bitdefender Specialists told about a malware campaign in which the spyware malware, dubbed Mandrake, hid for four years in the Google Play Store under the guise of a Coinbase cryptocurrency wallet, Gmail, Google Chrome browser, XE, PayPal currency conversion service, as well as Amazon applications and various banks in Australia and Germany.

The malware has a complex structure that allows its operators to avoid detection using conventional scanning. Disguised as legitimate applications, Mandrake allowed its operators to monitor almost all of the victim’s actions on a mobile device. As soon as the victim installed a malicious application, the loader component downloaded malware onto the device.

Unlike conventional bootloaders, Mandrake bootloaders can remotely turn on Wi-Fi, collect device information, hide their presence and notifications, and automatically install new applications. The components of one of the Mandrake bootloaders, presented to users under the guise of CAPTCHA, helped the malware avoid detection. They could determine if the program was running in a virtual machine or emulator.

Mandrake malware installation allowed to completely compromise the target device by providing administrator privileges for sending all incoming SMS messages to the server of malware operators or to a specified number, sending texts, making calls, stealing information from the contact list, activating and recording GPS coordinates, credential theft Facebook data and financial applications, recording a screen and initiating a factory reset to erase all user data and the malicious program itself in the process.

According to experts, the number of victims can be tens of thousands, however, in each case, the attack was initiated by operators, and not fully automated, as many families of malicious programs do.

The experts analyzed malware-related developer accounts on the Google Play Store and identified a Russian freelance developer hiding behind a network of fake company websites, stolen IDs and email addresses, and fake North America job advertisements.


Spyware Hiding in the Google Play Store for Four Years

 

[Матушкин Андрей Николаевич]

The experts analyzed malware-related developer accounts on the Google Play Store and identified a Russian freelance developer hiding behind a network of fake company websites, stolen IDs and email addresses, and fake North America job advertisements.

Thank. An extremely interesting article.

 

[Марат (МОД)]

On Android platforms, in my opinion, for a long time it is not clear what is going on, besides Google (and, of course, immediately raised hype about this, as no one knew), a lot of third-party software transmitting this or that information is not clear where. A striking example is an application that allows you to find out how you are clogged up with friends on the phone, which ultimately merges an unreal amount of information

 

[Детектив-Молдова]

In short, we pay money ourselves so that we are followed ... not good uncles))))