Hundreds of thousands of Android users hit by Google Play spyware

Mandrake spyware masqueraded as legitimate apps with highly convincing social media accounts

A prolific form of Android spying malware was left undetected in the Google Play store for four years and is likely to have affected hundreds of thousands of users, according to the team of researchers who discovered it.

The team from cyber security firm Bitdefender discovered the "highly sophisticated Android espionage platform" earlier this year, although they believe it had been active since 2016, first targeting Android users in Australia and then users in the Americas and Europe, including the UK.

The malware has been further defined as a strain of spyware, which allowed its authors to snoop on any user that downloaded infected apps and access personal data, such as device preferences, the contents of their address books and messages, as well as device usage data and inactivity times.

Researchers have named the spyware 'Mandrake', as the criminals behind it were found to be using names of toxic plants for their development branches.

The team also found that Mandrake conducted phishing attacks on applications including Amazon, Gmail, PayPal, Google Chrome, as well as popular cryptocurrency wallet apps such as Lunoor, Coinbase and numerous banking apps from around the world. UK banks were not listed by Bitdefender among the victims.

The creators of the malware attempted to gain a strong presence on the app market and circumvent Google Play security by publishing their own malicious apps, such as OfficeScanner and CoinCast, and generated fake comments and downloads in order to ensure that their application made it to the trending section of Google Play.

The malware developers went to great lengths to ensure their apps came across as legitimate software, including by engaging with negative reviews and comments, and delivering fixes to the apps.

The marketing behind the malicious apps was so extensive that CoinCast not only had an official website, but also a strong social media presence on Facebook, Twitter, Reddit, and YouTube.

Related Resource

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now

Hackers even tried to evoke trust among its potential victims by listing an address for its  OfficeScanner app on its Facebook page, namely the Engineering and Mathematical Sciences Building in Milwaukee, Wisconsin.

Alongside CoinCast and OfficeScanner, Bitdefender also listed Abfix, SnapTune Vid, Currency XE Converter, Horoskope, and Car News as other malicious applications developed by Mandrake operators.

The Bitdefender team estimates "the number of victims in the tens of thousands for the current wave, and probably hundreds of thousands throughout the full 4-year period".

"We can also extrapolate that every victim of Mandrake has most probably been exposed to some form of data theft," they said.

The discovery made by Bitdefender comes weeks after a group of cyber security experts from Cybereason Nocturnus found that a mobile-based trojan was capable of compromising Android's accessibility features in order to steal user data from banking applications and read user's SMS messages, allowing the malware to bypass two-factor authentication.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020