Mysterious family of malware hid in Google Play for years
A family of Android malware named Mandrake has been found in Google Play, evading detection for years. It steals credentials and executes malicious applications, highlighting challenges in malware detection.
Read original article
A family of Android malware known as Mandrake has been discovered in Google Play after evading detection for years. Initially identified by Bitdefender in 2020, Mandrake was found hidden in apps masquerading as file-sharing, astronomy, and cryptocurrency tools. These apps were present in two waves, from 2016 to 2017 and again from 2018 to 2020, with an estimated tens of thousands of victims during the latter period. Following Bitdefender's report, the malware seemed to disappear but resurfaced in 2022, remaining undetected until recently. Kaspersky researchers noted that the latest Mandrake variants employed advanced obfuscation techniques to evade analysis and detection, including moving malicious code to native libraries and using a kill switch to erase traces of the malware.
Mandrake's primary functions include stealing user credentials and executing further malicious applications, typically targeting a small number of carefully selected victims. The malware can record screens and capture user inputs through commands sent from a control server. Kaspersky identified several apps associated with Mandrake, which were removed from Google Play after their discovery. The ongoing evolution of Mandrake highlights the challenges in detecting sophisticated malware, even with improved app vetting processes in official marketplaces.
Related
Mac users served info-stealer malware through Google ads
Mac users targeted by info-stealer malware via Google ads promoting fake Arc browser for Mac. Malware sends data to Poseidon info stealer control panel, extracting wallets and passwords. Google disclaims responsibility. Users urged caution.
Poseidon malware menaces Mac users via GoogleAds
A MacOS malware named 'Poseidon' masquerades as the Arc web browser in Google ads, redirecting users to a fake site for trojan downloads. It aims to steal credentials and VPN settings for potential data theft. Researchers warn of its resemblance to the AtomicStealer malware family, advising caution in app downloads to prevent infection and data breaches.
Concealed backdoor in fake AWS files escaped mainstream notice
Researchers found fake AWS packages on NPM with hidden backdoor code targeting developers. Despite being reported, the packages were available for two days, revealing challenges in detecting and removing threats promptly. Malware in open source repositories is becoming more sophisticated, evading security products. The incident highlights the need for vigilance when using third-party libraries.
Telegram zero-day for Android allowed malicious files to masquerade as videos
Researchers found a zero-day exploit in Telegram for Android, named EvilVideo. Telegram fixed it in versions 10.14.5+. Attackers could send malicious files as videos. Exploit sold on forum. Patched version prevents automatic downloads. Threat actor unknown.
A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub
Cybersecurity researchers discovered a network of 3,000 fake GitHub accounts, "Stargazer Goblin," spreading malware like ransomware. The operation manipulates GitHub tools, targeting Windows users seeking free software.
1 commentsRelated
Mac users served info-stealer malware through Google ads
Mac users targeted by info-stealer malware via Google ads promoting fake Arc browser for Mac. Malware sends data to Poseidon info stealer control panel, extracting wallets and passwords. Google disclaims responsibility. Users urged caution.
Poseidon malware menaces Mac users via GoogleAds
A MacOS malware named 'Poseidon' masquerades as the Arc web browser in Google ads, redirecting users to a fake site for trojan downloads. It aims to steal credentials and VPN settings for potential data theft. Researchers warn of its resemblance to the AtomicStealer malware family, advising caution in app downloads to prevent infection and data breaches.
Concealed backdoor in fake AWS files escaped mainstream notice
Researchers found fake AWS packages on NPM with hidden backdoor code targeting developers. Despite being reported, the packages were available for two days, revealing challenges in detecting and removing threats promptly. Malware in open source repositories is becoming more sophisticated, evading security products. The incident highlights the need for vigilance when using third-party libraries.
Telegram zero-day for Android allowed malicious files to masquerade as videos
Researchers found a zero-day exploit in Telegram for Android, named EvilVideo. Telegram fixed it in versions 10.14.5+. Attackers could send malicious files as videos. Exploit sold on forum. Patched version prevents automatic downloads. Threat actor unknown.
A Hacker 'Ghost' Network Is Quietly Spreading Malware on GitHub
Cybersecurity researchers discovered a network of 3,000 fake GitHub accounts, "Stargazer Goblin," spreading malware like ransomware. The operation manipulates GitHub tools, targeting Windows users seeking free software.