© 2025 CoolTechZone - Latest tech news,
product reviews, and analyses.

New Mandrake spyware goes unnoticed for two years in Google Play Store


Security researchers from Kaspersky found several suspicious applications in the Google Play Store that turned out to contain a new version of the Mandrake spyware. It was able to hide itself from Google for two years.

The original Mandrake campaign manifested itself in two infection waves: in 2016-2017 and in 2018-2020. Back then, it was first analyzed by cybersecurity firm Bitdefender, describing it as intrusive spyware that knew how to conceal itself from Google for four years.

The Mandrake spyware can collect, send, and delete text messages; make and end phone calls, reset smartphones, show fake notifications, enable GPS tracking, install and uninstall applications, steal user data and device information, and transfer login credentials from browser and banking apps. The malware also provides remote access to a device and can draw so-called ‘overlays’ on pre-installed apps.

In April 2024, Kaspersky discovered a new version of the Mandrake spyware in the Google Play Store. According to security researchers, the newest version of Mandrake is just as dangerous as the previous one. The main distinguishing feature of the new variant is its layers of obfuscation, designed to bypass all of Google Play’s security measures.

Kaspersky found five applications in the Google Play Store containing Mandrake, including a file-sharing application called AirFS. The apps had over 32,000 downloads, most of which were from Canada, Germany, Italy, Mexico, Spain, Peru, and the United Kingdom.

These malicious apps were published in 2022 and were available for two years. The most recent update was on March 15, and they were removed from the Google Play Store the same month. As of this writing, all of the suspicious apps are no longer in the Google Play Store.

“The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion, and bypassing new defense mechanisms,” security researchers from Kaspersky conclude. They point out that the threat actor -which is most likely (state-sponsored) hackers from Russia since the command and control servers are registered there- has “formidable skills.”

In addition, Kaspersky points out that stricter controls for applications before being published sounds good, but it isn’t the solution: it only leads to “more sophisticated, harder-to-detect threats” sneaking into the Google Play Store.


Leave a Reply

Your email address will not be published. Required fields are marked