Mandrake Android Spyware

First observed in early 2020, Mandrake is a sophisticated spyware platform and associated support infrastructure used for targeted attacks against finance and commercial organisations in Europe and the USA.

Threat ID:: CC-3468
Category:
Threat Severity:: Low
Threat Vector:
Published:: 21 May 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Android

Google Android - All versions

Threat details

Mandrake is delivered through a number of apparently legitimate utility applications hosted on the Google Play Store. Unlike most malware delivered this way, Mandrake's operators take great care to ensure these applications are fully functional, even going so far as to create support websites and small-scale advertising campaigns for them. These applications will collect user and system information before sending it to a command and control (C2) server. The C2 server then uses this information to determine if the affected user is a suitable target based on a extensive list of criteria. If found suitable, the C2 server instructs the application to download the actual Mandrake payload.

Once installed, Mandrake is given full administrative permissions by the utility application before removing itself from the application tray. It then connects to a separate C2 server to await further commands. By default, Mandrake is able to:

Send, collect, and delete SMS messages.
Initiate and terminate phone calls.
Reset or disable the affected device.
Display fake notifications.
Enable GPS tracking.
Install and uninstall applications.
Exfiltrate user and system information.
Extract user credentials from browsers and banking applications.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

To prevent and detect a trojan infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

Mandrake IoC List 21/05/2020

Last edited: 29 June 2021 12:01 pm