Deutsch English Français Italiano |
<v8c9kn$1drgn$1@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!2.eu.feeder.erje.net!3.eu.feeder.erje.net!feeder.erje.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Isaac Montara <IsaacMontara@nospam.com> Newsgroups: comp.mobile.android Subject: 5 Mandrake spyware apps removed from Google Play Date: Tue, 30 Jul 2024 23:04:55 -0400 Organization: A noiseless patient Spider Lines: 38 Message-ID: <v8c9kn$1drgn$1@dont-email.me> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Wed, 31 Jul 2024 05:04:56 +0200 (CEST) Injection-Info: dont-email.me; posting-host="525426df4709f55c47b675502caf7c44"; logging-data="1502743"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18Cmc9TNerB04YS8A4oDPQk" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Cancel-Lock: sha1:2t/Kzn+zh1p2kWvYB46Nln189dg= Content-Language: en-US Bytes: 3137 https://arstechnica.com/security/2024/07/mysterious-family-of-malware-hid-in-google-play-for-years/ Besides a new round of decoy apps, the Mandrake operators also introduced several measures to better conceal their malicious behavior, avoid analysis from "sandboxes" used by researchers to identify and study malware, and combat malware protections introduced in recent years. A key feature of the latest generation of Mandrake is multiple layers of obfuscation designed to prevent analysis by researchers and bypass the vetting process Google Play uses to identify malicious apps. All five of the apps Kaspersky discovered first appeared in Play in 2022 and remained available for at least a year. The most recent app was updated on March 15 and removed from the app market later that month. As of earlier this month, none of the apps were detected as malicious by any major malware detection provider. One means of obfuscation was to move malicious functionality to native libraries, which were obfuscated. Previously, Mandrake stored the malicious logic of the first stage in what's known as the application DEX file, a type of file that's trivial to analyze. By switching the location to the native library libopencv_dnn.so, the Mandrake code is harder to analyze and detect because the native libraries are more difficult to inspect. By then obfuscating the native library using the OLLVM obfuscator, Mandrake apps were even more stealthy. The chief purposes of Mandrake are to steal the user's credentials and download and execute next-stage malicious applications. But these actions are carried out only in later-stage infections that are served only to a small number of carefully selected targets. The primary method is by recording the screen while a victim is entering a passcode. The screen recording is initiated by a control server sending commands such as start_v, start_i, or start_a. com.airft.ftrnsfr AirFS com.astro.dscvr Astro Explorer com.shrp.sght Amber com.cryptopulsing.browser CryptoPulsing com.brnmth.mtrx Brain Matrix kodaslda