These 5 apps have been spying and stealing data since 2022 and must be deleted immediately

Android espionage platform Mandrake, which started its activities in 2016 and was first discovered in 2020 by Bitdefender, is back. It has evolved into a stronger version of itself that can evade Google Play checks, making detection harder. Kaspersky stumbled upon five new apps with the spyware.

According to the cybersecurity company, five apps that were available on Google Play from 2022 to 2024 contained the new version of Malware. They were collectively downloaded over 32,000 times, predominantly by users in Canada, Germany, Italy, Mexico, Spain, Peru and the UK.

Here are the names of the infected apps:

• AirFS – 30,305 installs
• Astro Explorer – 718 installs
• Amber – 19 installs
• CryptoPulsing – 790 installs
• Brain Matrix – 259 installs

Most of these apps remained available on Google Play for at least a year before being removed, with one – AirFS – getting the boot only in March 2024. Until today, none of the apps were flagged as malicious by any anti-virus provider.

The Mandrake applications employed new layers of obfuscation techniques to lie low, such as conducting malicious activities in obfuscated libraries and using certificate pinning to prevent network sniffing.

AirFS, which was downloaded the most number of times, masqueraded as a file-sharing app, but users complained it did not work and stole their data.

That’s not all these apps were capable of, with the report noting they can send device information and a list of installed apps to their masters, install more apps, change icons, and ask for permission to run in the background.

Like the earlier versions, the new Mandrake platform works in three stages. It only tries to infect victims when a target is deemed relevant. This is decided on the strength of the data.

Once a device is designated a target, the malware records the screen and collects cookies to steal credentials and “download and execute next-stage malicious applications”, which are Mandrake’s main motives.

To get you to install a new app, Mandrake sends notifications that look like they came from Google Play. With Android 13, the Restricted Settings feature was introduced to prevent sideloaded apps from requesting dangerous permission directly, but Mandrake is capable of bypassing it.

Check your phone for the aforementioned apps and if you happen to have downloaded any of them, delete them right away.

Google gave the following statement to Bleeping Computer regarding the apps: