Mandrake Malware Made Its Way Back to Google Play 

A family of Android malware, Mandrake, has made its way back to Google Play, but this time, concealed in different apps.

A family of Android malware, Mandrake, has made its way back to Google Play, but this time, concealed in different apps, stealing user credentials while remaining undetected.  

Smart Tactics to Stay Hidden 

In 2020, both Kaspersky and Bitdefender issued warning about this malware revealing the methods used to stay concealed and undetected. The reason why Mandrake was hidden is because of the smart strategies it has taken to keep its status.  

The malware didn’t turn on in 90 countries, including former Soviet Union states. It had also been very selective when it came to choosing targets before its final payload was fired off. 

A “kill switch” was also included, a routine called seppuku, a Japanese term for ritual suicide, which erased all traces of the malware if needed. 

According to a report by Bitdefender, there were two broad waves of attacks, one that took place from 2016 to 2017 and another one from 2018 to 2020. The report also highlighted the presence of tens of thousands of users who were affected during the latter period, and probably hundreds of thousands during the four years. 

Following the report, the malware disappeared, Kaspersky indicated in another report that the Mandrake infected apps made their way back in 2022, but are unnoticed until now, as they used more sophisticated techniques to prevent being detected and analyzed. 

Enhanced Security Is a Must 

Kaspersky researchers Tatyana Shishkova and Igor Golovin, stated that, “The Mandrake spyware is dynamically evolving, improving its methods of concealment, sandbox evasion, and bypassing new defense mechanisms.” 

The overall goal of the Mandrake malware is to steal user credentials and further download additional malicious applications. The malware can do this by recording the screen as users key in their passcodes. To do so, they use control server commands, such as start_v, start_i, and start_a – these initiate screen recording and automate actions. 

Neither Kaspersky nor Bitdefender has been able to determine who is behind Mandrake or their motives. Yet, despite that, it has become evident that the comeback of this advanced malware clearly indicates a strong need for greater control over the app marketplaces. 

Final Thoughts 

The return of Mandrake malware on Google Play serves as a great reminder on just how bad cyber threats can be. Even with previous warnings and mitigations in place, Mandrake still manages to hide itself and do its damage. The fact of the matter is that it goes unnoticed by users and relates in particular to certain users clearly shows how advanced the techniques are. 


Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Tech sections to stay informed and up-to-date with our daily articles.