Mandrake

Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.

Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]

ID: S0485
Associated Software: oxide, briar, ricinus, darkmatter
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 15 July 2020
Last Modified: 11 September 2020

Associated Software Descriptions

Name Description
oxide

[1]

briar

[1]

ricinus

[1]

darkmatter

[1]

Techniques Used

Domain ID Name Use
Mobile T1401 Abuse Device Administrator Access to Prevent Removal

Mandrake can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.[1]

Mobile T1432 Access Contact List

Mandrake can access the device’s contact list.[1]

Mobile T1517 Access Notifications

Mandrake can capture all device notifications and hide notifications from the user.[1]

Mobile T1409 Access Stored Application Data

Mandrake can collect all accounts stored on the device.[1]

Mobile T1418 Application Discovery

Mandrake can obtain a list of installed applications.[1]

Mobile T1412 Capture SMS Messages

Mandrake can access SMS messages.[1]

Mobile T1436 Commonly Used Port

Mandrake has communicated with the C2 server over TCP port 443.[1]

Mobile T1447 Delete Device Data

Mandrake can delete all data from an infected device.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

Mandrake has had the first stage (dropper) distributed via the Google Play Store.[1]

Mobile T1520 Domain Generation Algorithms

Mandrake has used domain generation algorithms.[1]

Mobile T1407 Download New Code at Runtime

Mandrake can download its second (Loader) and third (Core) stages after the dropper is installed.[1]

Mobile T1523 Evade Analysis Environment

Mandrake can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.[1]

Mobile T1541 Foreground Persistence

Mandrake uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.[1]

Mobile T1516 Input Injection

Mandrake abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.[1]

Mobile T1411 Input Prompt

Mandrake can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.[1]

Mobile T1478 Install Insecure or Malicious Configuration

Mandrake can enable app installation from unknown sources and can disable Play Protect.[1]

Mobile T1430 Location Tracking

Mandrake can collect the device’s location.[1]

Mobile T1444 Masquerade as Legitimate Application

Mandrake can mimic an app called "Storage Settings" if it cannot hide its icon.[1]

Mobile T1406 Obfuscated Files or Information

Mandrake obfuscates its hardcoded C2 URLs.[1]

Mobile T1544 Remote File Copy

Mandrake can install attacker-specified components or applications.[1]

Mobile T1513 Screen Capture

Mandrake can record the screen.[1]

Mobile T1582 SMS Control

Mandrake can block, forward, hide, and send SMS messages.[1]

Mobile T1508 Suppress Application Icon

Mandrake can hide its icon on older Android versions.[1]

Mobile T1426 System Information Discovery

Mandrake can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.[1]

Mobile T1509 Uncommonly Used Port

Mandrake has communicated with the C2 server over TCP port 7777.[1]

Mobile T1481 Web Service

Mandrake has used Firebase for C2.[1]

References