Mandrake¶
Mandrake is a sophisticated Android spyware platform that operated undetected on Google Play for multiple years across two separate campaigns. Bitdefender first documented the family in 2020, revealing a four-year presence (2016-2020) on Google Play with an estimated 32,000+ installations. Kaspersky documented the return in July 2024, finding new variants that had been present on Google Play since 2022, completely undetected for two years. The second wave moved core malicious functionality into native libraries obfuscated with OLLVM and included a "seppuku" self-destruct feature that wipes all malware traces from the device.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2016 |
| Last Seen | Active (second wave discovered 2024) |
| Status | Active, under continued development |
| Type | Spyware platform, credential stealer |
| Attribution | Unknown; sophisticated actor with long operational patience |
| Aliases | None known |
Vendor Names¶
| Vendor | Name |
|---|---|
| Kaspersky | HEUR:Trojan-Spy.AndroidOS.Mandrake |
| Bitdefender | Android.Spy.Mandrake |
| ESET | Android/Spy.Mandrake |
| McAfee | Android/Mandrake |
Origin and Lineage¶
Mandrake is an independently developed spyware platform with no known code connections to other documented families. Its sophistication level (multi-stage loading, OLLVM-obfuscated native libraries, certificate pinning, extended dormancy on Play Store) places it closer to commercial spyware operations like FinSpy or Hermit than to typical banking trojans, though its distribution via Google Play and broad targeting differ from the targeted delivery model of commercial surveillance tools.
Campaign Timeline¶
| Campaign | Period | Detection Gap |
|---|---|---|
| First wave | 2016-2020 | 4 years on Google Play undetected |
| Second wave | 2022-2024 | 2 years on Google Play undetected |
The ability to maintain presence on Google Play for years without detection by Play Protect or any AV engine demonstrates exceptional anti-detection engineering.
Distribution¶
Both campaigns used Google Play as the primary distribution vector. Apps appeared as legitimate utilities:
First Wave (2016-2020)¶
Finance, automotive, and document management apps. Bitdefender identified apps that functioned legitimately while embedding the Mandrake framework.
Second Wave (2022-2024)¶
| App | Category | Installs |
|---|---|---|
| AirFS (file sharing) | Productivity | 30,305 |
| Astro Explorer | Tools | 718 |
| Amber | Lifestyle | 19 |
| CryptoPulsing | Finance | 790 |
| Brain Matrix | Education | 259 |
The second wave apps had lower install counts but maintained presence for two years, suggesting the operator prioritized stealth over scale.
Capabilities¶
| Capability | Description |
|---|---|
| Screen recording | Captures device screen via MediaProjection API |
| Credential theft | Phishing overlays for banking and social media apps |
| File exfiltration | Browses and uploads files from device storage |
| Contact/SMS theft | Reads contacts, call logs, SMS messages |
| GPS tracking | Continuous location monitoring |
| Audio recording | Records via device microphone |
| App installation | Downloads and installs additional APKs |
| Seppuku (self-destruct) | Wipes all malware data and traces on operator command |
| Browser cookie theft | Extracts authentication cookies from browsers |
| Click simulation | Simulates user interactions via accessibility |
Seppuku Self-Destruct¶
The "seppuku" command triggers complete removal of all Mandrake components and data from the device. This anti-forensic feature allows operators to eliminate evidence if they suspect the device is under analysis or if the operation is being investigated. Unlike BRATA's factory reset (which wipes the entire device), seppuku selectively removes only Mandrake artifacts, leaving the device otherwise intact and reducing the likelihood the user notices anything happened.
Technical Details¶
Multi-Stage Loading¶
Mandrake uses a three-stage loading architecture:
Stage 1: Dropper (Google Play app)
→ Decrypts and loads Stage 2 from assets/
Stage 2: Loader (native library)
→ Contacts C2 for Stage 3
→ Performs environment checks
Stage 3: Core spyware module
→ Full functionality downloaded from C2
→ Loaded via DexClassLoader
OLLVM Obfuscation (Second Wave)¶
The 2024 variants moved critical functionality into native libraries obfuscated with OLLVM (Obfuscator-LLVM):
| Technique | Purpose |
|---|---|
| Control flow flattening | Hides program logic from static analysis |
| String encryption | All strings decrypted at runtime |
| Bogus control flow | Inserts dead code paths to confuse decompilers |
| Instruction substitution | Replaces standard operations with equivalent complex ones |
This is the same obfuscation framework used by some packer vendors and nation-state tooling. Its application to Google Play malware is uncommon.
Anti-Analysis¶
| Check | Method |
|---|---|
| Emulator detection | Checks build properties, hardware characteristics, sensor availability |
| Frida detection | Scans for Frida server processes and libraries |
| Root detection | Checks for su binary, root management apps |
| Debugger detection | Checks TracerPid, debug flags |
| Certificate pinning | Validates C2 server certificates against embedded pins |
C2 Communication¶
- HTTPS with certificate pinning
- TLS client certificates for mutual authentication
- Traffic encrypted with AES
- Heartbeat mechanism to maintain persistent connection
- Commands and responses serialized with custom binary protocol
Target Regions¶
Mandrake is not narrowly region-specific. The Google Play distribution means infections follow the apps' geographic availability. Kaspersky reported the highest detection rates in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK during the second wave.
Notable Campaigns¶
2016-2020: Bitdefender discovers the first Mandrake campaign after four years of undetected operation on Google Play. Multiple utility apps served as dropper vehicles. The research reveals a full-featured spyware platform with credential theft, screen recording, and file exfiltration capabilities.
2022-2024: Mandrake returns to Google Play with significantly upgraded anti-detection capabilities. Core malicious logic moved from DEX to OLLVM-obfuscated native libraries. Five apps identified with combined 32,000+ installs over a two-year undetected period.
2024, July: Kaspersky publishes analysis of the second wave, documenting the OLLVM obfuscation, seppuku self-destruct feature, and upgraded anti-analysis checks. Google removes identified apps from Play Store.