Researchers at the Romanian cybersecurity firm Bitdefender have revealed that they have found malware that has been spying on and stealing from Android users since 2016. Bitdefender, which describes itself as a global leader in cybersecurity, said that the malware, known as Mandrake, had remained undetected due to its precise targeting of users.
The hackers hid the malware in applications in the Google Play Store, such as OfficeScanner, Abfix, Currency XE Converter, SnapTune Vid, CoinCast, Horoskope, and Car News. The cybercriminals worked meticulously, as not only did they set up websites and accounts on social media for these apps, but they also responded to users’ feedback and fixed glitches in them.
The hackers used a three-stage process to infect devices.
- A user installs the apps in question, which contain a dropper - a program used to install malware
- The dropper contacts a server and the hackers instruct it to download a loader. This process would be disguised, for example, as an update for Google Play services.
- The attackers then instruct the loader to download Core, a component that would allow the cybercriminals to take control of the device.
After Core was downloaded to the device the hackers were given unlimited power, allowing them to extract SMS messages, send SMS messages to certain numbers, steal contact list information and financial credentials, install/uninstall apps, and conduct phishing attacks for shopping and financial applications, including cryptocurrency wallets, Amazon, and Paypal.
After stealing a target’s data, or if the victim didn’t have anything of value, the hackers would launch a command called “seppuku” (a Japanese form of suicide) that initiated a reset to factory settings, which would delete the malware itself.
The researchers at Bitdefender say there were two waves of infection: one between 2016 and 2017 and the other between 2018 and 2020. "We presume that the number of victims is in the count of tens of thousands, but we don’t know how many for sure", said Bogdan Botezatu, director of threat research and reporting at Bitdefender, told The Register.
For some reason, the hackers targeted people from developed countries – Australia, Canada, European Union members, and the United States, but ignored people from low-income countries like the former Soviet republics, countries in Africa, and some Arab-speaking nations. In all, the cybercriminals "spared" users from 90 countries. Bitdefender didn’t say where hackers come from.
The firm noted that the malware is still present and has the potential to expand its radius.