Mandrake Android spyware returns to Google Play, evading detection for 2 years. 32,000+ downloads, advanced obfuscation techniques, and C2 communication via certificate pinning.

Continue reading
Absolutely! Here's a technical write-up leveraging SEO keywords from the provided text, enriched for authority and tactical detail, and formatted in markdown:
After a two-year hiatus, the Mandrake Android spyware has re-emerged on the Google Play Store. This comprehensive technical analysis delves into the advanced obfuscation methods, sandbox evasion strategies, and anti-analysis techniques employed by the latest Mandrake variant. We unveil the evolution of this cyber-espionage platform and highlight the ongoing challenges faced by mobile security solutions in detecting and neutralizing such sophisticated threats.
The updated Mandrake infection chain involves a multi-stage approach:
Mandrake utilizes a complex data decryption scheme involving custom XOR encoding, AES encryption, and OpenSSL functions. The encryption keys and C2 domain information are embedded within the native library.
The malware incorporates a variety of techniques to evade detection and analysis:
Mandrake utilizes encrypted certificates for C2 communication, hindering interception of SSL traffic. A custom JSON-like serialization format is used for data exchange, with specific opcodes for various commands and responses.
Based on similarities to previous campaigns and C2 infrastructure linked to Russia, the threat actor is likely the same as identified in past Mandrake activities. Victims are widespread across various countries, with a concentration in Canada, Germany, Italy, Mexico, Spain, Peru, and the UK.
The resurgence of Mandrake on Google Play underscores the evolving nature of mobile malware and the persistent challenges in maintaining mobile security. This analysis serves as a comprehensive resource for understanding the latest Mandrake variant and the techniques it employs to evade detection and compromise Android devices.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation