5 Mandrake spyware apps removed from Google Play

Liste des GroupesRevenir à cm android 
Sujet : 5 Mandrake spyware apps removed from Google Play
De : IsaacMontara (at) *nospam* nospam.com (Isaac Montara)
Groupes : comp.mobile.android
Date : 31. Jul 2024, 04:04:55
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <v8c9kn$1drgn$1@dont-email.me>
User-Agent : Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
https://arstechnica.com/security/2024/07/mysterious-family-of-malware-hid-in-google-play-for-years/
Besides a new round of decoy apps, the Mandrake operators also introduced
several measures to better conceal their malicious behavior, avoid analysis
from "sandboxes" used by researchers to identify and study malware, and
combat malware protections introduced in recent years.
A key feature of the latest generation of Mandrake is multiple layers of
obfuscation designed to prevent analysis by researchers and bypass the
vetting process Google Play uses to identify malicious apps. All five of
the apps Kaspersky discovered first appeared in Play in 2022 and remained
available for at least a year. The most recent app was updated on March 15
and removed from the app market later that month. As of earlier this month,
none of the apps were detected as malicious by any major malware detection
provider.
One means of obfuscation was to move malicious functionality to native
libraries, which were obfuscated. Previously, Mandrake stored the malicious
logic of the first stage in what's known as the application DEX file, a
type of file that's trivial to analyze. By switching the location to the
native library libopencv_dnn.so, the Mandrake code is harder to analyze and
detect because the native libraries are more difficult to inspect. By then
obfuscating the native library using the OLLVM obfuscator, Mandrake apps
were even more stealthy.
The chief purposes of Mandrake are to steal the user's credentials and
download and execute next-stage malicious applications. But these actions
are carried out only in later-stage infections that are served only to a
small number of carefully selected targets. The primary method is by
recording the screen while a victim is entering a passcode. The screen
recording is initiated by a control server sending commands such as
start_v, start_i, or start_a. com.airft.ftrnsfr AirFS
com.astro.dscvr Astro Explorer
com.shrp.sght Amber
com.cryptopulsing.browser CryptoPulsing
com.brnmth.mtrx Brain Matrix kodaslda

Date Sujet#  Auteur
31 Jul 24 o 5 Mandrake spyware apps removed from Google Play1Isaac Montara

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal