Android spyware gives attackers total control of your phone: What to do

1. Habitation
2. News
3. Security

Android spyware gives attackers total control of your phone: What to do

(Prototype credit: Marcos__Silva/Shutterstock)

A newly discovered strain of multi-stage Android spyware has been lurking in the groundwork since 2016, infecting tens of thousands of users but not activating itself unless the malware operators decided the victim has enough money to be worth stealing from.

The malware, dubbed Mandrake by its discoverers at Bitdefender, tin can take "consummate control of the device" and can steal information and cryptocurrency, interruption into bank accounts, and fifty-fifty factory-reset infected phones to encompass its tracks.

• The best Android antivirus apps to continue your phone make clean
• A billion Android phones are vulnerable — make sure yours isn't
• Latest: Google Pixel 5 design reveals a radical new photographic camera

Mandrake-infected apps have been purged from the Google Play store, but they almost certainly still lurk in "off-route" app markets out of Google's reach. To avert infection, brand sure your phone'southward settings accept not been changed to accept apps from "unknown sources," and install some of the all-time Android antivirus apps.

A tragedy in three acts

Mandrake'south commencement stage, the "dropper," comes in the form of benign-looking apps that really do what they promise. Bitdefender found several of those in Google Play nether the names CoinCast, Currency XE Converter, Automobile News, Horoskope, SnapTune Vid, Abfix and Office Scanner.

All accept now been removed from Google Play, although Tom'south Guide was able to confirm that Facebook and YouTube pages advertising some of them were nonetheless up.

If you lot install one of these innocent-looking apps, information technology collects information about your device and your surroundings, simply otherwise does zero terrible.

If the app didn't work well for its advertised purposes and you complained about it on Google Play, the malware operators would apologize and make improvements.

"We judge the number of victims in the tens of thousands for the current wave, and probably hundreds of thousands throughout the total 4-year period," Bitdefender wrote in its study.

But the first stage would also tricked you into authorizing app installations from outside the Google Play shop, subsequently which information technology would download and install the second phase — the "loader," which calls itself "Android system" to avoid attending.

The loader lurks in the background, collecting more information about you and sending information technology to the malware operators until they make up one's mind whether yous look rich plenty to steal from. If so, and so the loader downloads the tertiary phase, the core Mandrake malware.

"Because the complexity of the spying platform, we assume that every attack is targeted individually, executed with surgical precision and manual rather than automated," Bitdefender wrote.

Mandrake'due south "ritual suicide"

Mandrake tricks you by putting fake overlays on your screen, such as an finish-user license agreement that must be agreed to. Those are tailored to different phones, screen sizes, languages and versions of Android. But when you click "OK" to take the agreement, y'all're really granting it administrative privileges.

Then Mandrake forwards all your text messages to the attackers, forrad telephone calls to other numbers, blocks calls, installs or remove apps, steals contact lists, hides notifications, records screen activeness, steals passwords to your Facebook and online bank accounts, creates phishing pages to leech your credentials for Gmail and Amazon, and tracks your location.

The insurrection de grâce is a command built into the malware called "seppuku," named after a form of Japanese ritual suicide. That command would manufactory-wipe the device, erasing all trace of the malware as well as all user data.

Because yous were tricked into granted Mandrake authoritative privileges, rebooting the device or uninstalling the first-stage app won't get rid of the core malware.

"The only way to remove Mandrake is to boot the device in prophylactic mode, remove the device ambassador special permission and uninstall it manually," Bitdefender wrote.

Because that'due south where the money is

Such sophisticated abilities, and such targeted attacks, are ordinarily the sure signs of a land-controlled espionage operation. But the Bitdefender researchers think this was a purely criminal-controlled money catch, fifty-fifty if the operators practice appear to exist located in Russia.

Post-obit the standard pattern of Russian malware, Mandrake won't infect Android users in Russia or former Soviet republics. But it also avoids all of Africa, any Arabic-speaking state and many poor nations in other regions.

For unknown reasons, it also avoids installing itself on phones with Verizon SIM cards, or SIM cards from a top Chinese cellular carrier.

Its primary target appears to be Australia, followed past North America, western Europe (and Poland) and some of the richer parts of Due south America.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He'southward been rooting effectually in the information-security space for more than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwards in random TV news spots and even moderated a panel word at the CEDIA home-technology conference. You lot can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/mandrake-android-spyware

Posted by: mcabeefalm1952.blogspot.com

Share this post