Mandrake Android malware stealing Facebook, crypto data since 2016

Every day we see unique instances of malware come up but Mandrake…

Every day we see unique instances of malware come up, different from any that we have seen before. In a world so driven with innovation, not being surprised can become difficult. One such malware named Mandrake has been reported just yesterday by Cybersecurity firm Bitdefender in a report detailing its workings since 2016.

Firstly, Mandrake lures a user into installing trojanized apps on the Google Play Store, 7 of which were found with a high number of downloads including:

Car News
SnapTune Vid
Office Scanner
Currency XE Converter 

See: Android ransomware found extorting credit card details from users

These apps are of different categories ensuring that a cross-section of users are infected widening the scope of the malware. Ironically, in a bid to appear as legitimate as possible, the attackers even responded to user complaints and fixed bugs found within the apps.


Further, ads were rarely shown with social media pages being created for each app as well.

Malware infecting Android users through trojanized apps since 2016
Image: Bitdefender

Secondly, according to the researchers, unlike other threat actors, the attackers in this case only attempt to activate the malware on certain selected devices it infects which they believe will yield them reasonable monetary benefits. Hence, countries with a low GDP per capita primarily including African, Arabic, and Post-Soviet states numbering about 90 are excluded. The researchers further stated in a blog post that,

It also avoids running on devices with no SIM cards or with SIMs issued by specific operators. Most notably, it will not run with Verizon or China Mobile Communications Corporation (CMCC) operators, among others. Command and control servers also imply protection mechanisms, rejecting connections from different IP ranges or known cloud IPs.

The reason they do so is to avoid the kind of unneeded publicity that will make them more discoverable otherwise speeding up the reaction of cybersecurity researchers. To evaluate users through the aforementioned criteria, it installs a loader that collects the required user information and communicates it back to the attackers for them to decide on the suitability of infecting a user.

Start Streaming with IPVanish Now!

Once it is activated, it can steal cryptocurrencies and credentials of applications such as Facebook, manipulate text messages,  enable screen recording, send notifications, track the user’s location, initiate calls along with even factory-resetting a phone to remove any traces of its existence.

To do so, it basically manipulates the screen of the user by re-drawing certain elements behind the scenes and therefore fooling the users into believing otherwise through a fake overlay.

Malware infecting Android users through trojanized apps since 2016
Image: Bitdefender

An example to illustrate so is of a license agreement being displayed to the users with a button asking them to agree to the conditions specified there within. However, in actuality, the button is not to agree to the terms but a set of permissions that the attacker is requesting which will allow them to gain control over the device.


Concluding; currently, all of these malicious apps have been removed from the Play Store but it still tells us an alarming fact – such apps can remain undetected for years infecting thousands of users in the process. As for the ones behind this, Bitdefender believes that it may be a criminal group based in Russia.

See: New nasty Android EventBot malware infects devices by evading 2FA

For concerned users, this puts out another important lesson that even if all the right signs are there, it necessarily does not mean that the apps are legitimate. Hence, avoiding the installation of any unnecessary apps seems to be the safest way possible here and scan your device regularly with a reliable anti-malware app.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts