Mandrake
Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.
Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]
Associated Software Descriptions
| Name | Description |
|---|---|
| oxide | |
| briar | |
| ricinus | |
| darkmatter |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1432 | Access Contact List | ||
| Mobile | T1517 | Access Notifications |
Mandrake can capture all device notifications and hide notifications from the user.[1] |
|
| Mobile | T1409 | Access Stored Application Data | ||
| Mobile | T1418 | Application Discovery | ||
| Mobile | T1412 | Capture SMS Messages | ||
| Mobile | T1436 | Commonly Used Port |
Mandrake has communicated with the C2 server over TCP port 443.[1] |
|
| Mobile | T1447 | Delete Device Data | ||
| Mobile | T1475 | Deliver Malicious App via Authorized App Store |
Mandrake has had the first stage (dropper) distributed via the Google Play Store.[1] |
|
| Mobile | T1401 | Device Administrator Permissions |
Mandrake can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.[1] |
|
| Mobile | T1520 | Domain Generation Algorithms | ||
| Mobile | T1407 | Download New Code at Runtime |
Mandrake can download its second (Loader) and third (Core) stages after the dropper is installed.[1] |
|
| Mobile | T1523 | Evade Analysis Environment |
Mandrake can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.[1] |
|
| Mobile | T1541 | Foreground Persistence |
Mandrake uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.[1] |
|
| Mobile | T1516 | Input Injection |
Mandrake abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.[1] |
|
| Mobile | T1411 | Input Prompt |
Mandrake can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.[1] |
|
| Mobile | T1478 | Install Insecure or Malicious Configuration |
Mandrake can enable app installation from unknown sources and can disable Play Protect.[1] |
|
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1444 | Masquerade as Legitimate Application |
Mandrake can mimic an app called "Storage Settings" if it cannot hide its icon.[1] |
|
| Mobile | T1406 | Obfuscated Files or Information | ||
| Mobile | T1544 | Remote File Copy |
Mandrake can install attacker-specified components or applications.[1] |
|
| Mobile | T1513 | Screen Capture | ||
| Mobile | T1582 | SMS Control |
Mandrake can block, forward, hide, and send SMS messages.[1] |
|
| Mobile | T1508 | Suppress Application Icon | ||
| Mobile | T1426 | System Information Discovery |
Mandrake can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.[1] |
|
| Mobile | T1509 | Uncommonly Used Port |
Mandrake has communicated with the C2 server over TCP port 7777.[1] |
|
| Mobile | T1481 | Web Service | ||