In early 2020 Bitdefender identified a new, highly sophisticated Android espionage platform that had been active in the wild for at least four years. We named the threat Mandrake as the actor(s) behind it used names of toxic plants, or other botanical references, for major development branches: e.g. briar, ricinusor Nerium. Only recently did the threat actor change its name to darkmatter.
Mandrake is well developed and has a comprehensive 4-year track record: New features have constantly been pushed into production, while others have been deprecated. Bugs are constantly being ironed out and, overall, the malware framework is swarming with activity.
Considering the complexity of the spying platform, Bitdefender experts assume that every attack is targeted individually, executed with surgical precision and manual rather than automated. Weaponization would take place after a period of total monitoring of the device and victim. The attacker has access to data such as device preferences, address book and messages, screen recording, device usage and inactivity times, and can obviously paint a pretty accurate picture of the victim, and their whereabouts.
The malware has complete control of the device: it can turn down the volume of the phone and block calls or messages, steal credentials, exfiltrate information, to money transfers and blackmailing.
„Although the campaign masters all elements of a professional spyware platform, we believe this attack is most likely financially motivated. This threat can easily defeat two-factor authentication (2FA) codes that some banks send to prevent fraud.”, the Bitdefender experts said.
Most victims of the Mandrake stealer are in Australia, Europe, America and Canada. In particular, Australia seems to be highly targeted.
„Our sinkholing efforts revealed about 1,000 victims during a 3-week period. We estimate the number of victims in the tens of thousands for the current wave, and probably hundreds of thousands throughout the full 4-year period. We can also extrapolate that every victim of Mandrake has most probably been exposed to some form of data theft.”, according to Bitdefender.
For more details download Bitdefender White Paper – Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years
„Tendinţele pe care le-am remarcat înainte de începerea pandemiei s-au accelerat pe perioada stării de urgenţă. Am văzut acest lucru ca o oportunitate, un tipping point pentru bancă. Post-pandemie nu avem cum sa ne întoarcem la comportamentul financiar pe care îl aveam până în februarie a.c. Relaţia românilor cu online-ul s-a schimbat. In plus, cardul fizic se va dematerializa. Vom asista la o scădere a cererii pentru cardurile fizice, respectiv la o creştere a preferinţei pentru componenta digitală a acestora.”