Hundreds of thousands of Android users hit by Google Play spyware

Mandrake spyware masqueraded as legitimate apps with highly convincing social media accounts

A prolific form of Android spying malware was left undetected in the Google Play store for four years and is likely to have affected hundreds of thousands of users, according to the team of researchers who discovered it.

The team from cyber security firm Bitdefender discovered the "highly sophisticated Android espionage platform" earlier this year, although they believe it had been active since 2016, first targeting Android users in Australia and then users in the Americas and Europe, including the UK.

The malware has been further defined as a strain of spyware, which allowed its authors to snoop on any user that downloaded infected apps and access personal data, such as device preferences, the contents of their address books and messages, as well as device usage data and inactivity times.

Advertisement - Article continues below

Researchers have named the spyware 'Mandrake', as the criminals behind it were found to be using names of toxic plants for their development branches.

The team also found that Mandrake conducted phishing attacks on applications including Amazon, Gmail, PayPal, Google Chrome, as well as popular cryptocurrency wallet apps such as Lunoor, Coinbase and numerous banking apps from around the world. UK banks were not listed by Bitdefender among the victims.

Advertisement
Advertisement - Article continues below

The creators of the malware attempted to gain a strong presence on the app market and circumvent Google Play security by publishing their own malicious apps, such as OfficeScanner and CoinCast, and generated fake comments and downloads in order to ensure that their application made it to the trending section of Google Play.

The malware developers went to great lengths to ensure their apps came across as legitimate software, including by engaging with negative reviews and comments, and delivering fixes to the apps.

Advertisement - Article continues below

The marketing behind the malicious apps was so extensive that CoinCast not only had an official website, but also a strong social media presence on Facebook, Twitter, Reddit, and YouTube.

Related Resource

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now

Hackers even tried to evoke trust among its potential victims by listing an address for its  OfficeScanner app on its Facebook page, namely the Engineering and Mathematical Sciences Building in Milwaukee, Wisconsin.

Alongside CoinCast and OfficeScanner, Bitdefender also listed Abfix, SnapTune Vid, Currency XE Converter, Horoskope, and Car News as other malicious applications developed by Mandrake operators.

The Bitdefender team estimates "the number of victims in the tens of thousands for the current wave, and probably hundreds of thousands throughout the full 4-year period".

"We can also extrapolate that every victim of Mandrake has most probably been exposed to some form of data theft," they said.

The discovery made by Bitdefender comes weeks after a group of cyber security experts from Cybereason Nocturnus found that a mobile-based trojan was capable of compromising Android's accessibility features in order to steal user data from banking applications and read user's SMS messages, allowing the malware to bypass two-factor authentication.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020