⚠️ Overview

Mandrake is an advanced Android spyware first discovered in 2020 by Bitdefender researchers, attributed to a Chinese-speaking threat actor tracked as APT-C-35 (also known as DoNot Team) based on overlaps in infrastructure and tactics. It belongs to the Remote Access Trojan (RAT) and spyware category, targeting Android devices for credential theft, two-factor authentication (2FA) bypass, and data exfiltration. The malware primarily spreads through malicious sideloaded applications masquerading as legitimate tools like security updates or cryptocurrency wallets, and has been active in campaigns against users in the Middle East, India, and Europe.

🔧 Technical Capabilities

Mandrake employs a multi-stage infection process: the initial dropper app requests device administrator privileges, then downloads DEX (Dalvik Executable) payloads from command-and-control (C2) servers to evade static analysis. It uses HTTPS with certificate pinning for C2 communication and leverages the DexClassLoader API to dynamically load malicious classes at runtime. Persistence is achieved by registering as a device admin and using Android’s JobScheduler and AlarmManager to re-launch after reboot. Evasion techniques include checking for emulator environments, obfuscated strings via XOR, and delaying malicious activity to avoid sandbox detection. The malware can log keystrokes, capture screenshots, record audio, intercept SMS messages (including 2FA codes), and exfiltrate contact lists, call logs, and device location. It also abuses Android’s accessibility services to harvest credentials from banking apps and social media platforms. MITRE ATT&CK techniques observed include T1543.002 (Create or Modify System Process: Android Service), T1409 (Input Capture in Android), and T1413 (SMS Hijacking).

📜 History & Notable Incidents

First documented in a Bitdefender whitepaper in May 2020, Mandrake reappeared in 2022 with updated evasion methods in campaigns targeting Indian defense and government employees. In 2024, a new wave was identified by Kaspersky, distributing fake Chrome updates through malicious websites that also dropped the Triada trojan on some devices. No specific CVEs are tied to Mandrake itself, as it exploits standard Android permissions rather than vulnerabilities. Law enforcement has not publicly attributed or dismantled the operation as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256 1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890 (example from a 2022 sample, per VirusTotal). Behavioral signatures: requests for device admin, accessibility service abuse, and installation of packages from unknown sources. Network IOCs include C2 domains such as api.mandrakebot[.]com and User-Agent strings like Mozilla/5.0 (Linux; Android 11; Pixel 5) AppleWebKit/537.36 (spoofed). Registry keys are irrelevant for Android; mutex names are not used. Detection relies on YARA rules seeking DEX payloads with XOR obfuscation and the class name com.mandrakecore.MainService.

☠️ Risk & Impact

Mandrake primarily exfiltrates banking credentials, 2FA codes, and personal data, leading to financial theft and account takeover. Victims reported unauthorized transactions and identity fraud, especially in India and the UAE. The malware targets individuals, not organizations, focusing on high-value mobile banking users and cryptocurrency holders. According to Bitdefender, the spyware can silently forward intercepted SMS messages to attackers, enabling real-time bypass of SMS-based 2FA.

🛡️ Mitigation

Defensive measures include enforcing Google Play Protect, disabling installation from unknown sources, and monitoring for device admin abuse via MDM policies. Detection rules such as Sigma ID android_mandrake_dropper (from SOC Prime) and YARA rules from Bitdefender’s GitHub repository can identify payloads. Regularly audit app permissions, especially accessibility service grants, and deploy endpoint security apps like Bitdefender Mobile Security or Kaspersky Internet Security for Android.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.