Bitdefender has identified a spying platform on Android devices that can easily defeat two-factor authentication (2FA) codes that some banks send to prevent fraud

In early 2020 Bitdefender identified a new, highly sophisticated Android espionage platform that had been active in the wild for at least four years. We named the threat Mandrake as the actor(s) behind it used names of toxic plants, or other botanical references, for major development branches: e.g. briar, ricinusor Nerium. Only recently did the threat actor change its name to darkmatter.

Mandrake is well developed and has a comprehensive 4-year track record: New features have constantly been pushed into production, while others have been deprecated. Bugs are constantly being ironed out and, overall, the malware framework is swarming with activity.

Considering the complexity of the spying platform, Bitdefender experts assume that every attack is targeted individually, executed with surgical precision and manual rather than automated. Weaponization would take place after a period of total monitoring of the device and victim. The attacker has access to data such as device preferences, address book and messages, screen recording, device usage and inactivity times, and can obviously paint a pretty accurate picture of the victim, and their whereabouts.

The malware has complete control of the device: it can turn down the volume of the phone and block calls or messages, steal credentials, exfiltrate information, to money transfers and blackmailing.

It can conduct phishing attacks, by loading a webpage and injecting a specially crafted JavaScript code to retrieve all data from input forms.

„Although the campaign masters all elements of a professional spyware platform, we believe this attack is most likely financially motivated. This threat can easily defeat two-factor authentication (2FA) codes that some banks send to prevent fraud.”, the Bitdefender experts said.

Most victims of the Mandrake stealer are in Australia, Europe, America and Canada. In particular, Australia seems to be highly targeted.

„Our sinkholing efforts revealed about 1,000 victims during a 3-week period. We estimate the number of victims in the tens of thousands for the current wave, and probably hundreds of thousands throughout the full 4-year period. We can also extrapolate that every victim of Mandrake has most probably been exposed to some form of data theft.”, according to Bitdefender.

For more details download Bitdefender White Paper – Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years