Hundreds of thousands of Android users hit by Google Play spyware

A prolific form of Android spying malware was left undetected in the Google Play store for four years and is likely to have affected hundreds of thousands of users, according to the team of researchers who discovered it.

The team from cyber security firm Bitdefender discovered the "highly sophisticated Android espionage platform" earlier this year, although they believe it had been active since 2016, first targeting Android users in Australia and then users in the Americas and Europe, including the UK.

The malware has been further defined as a strain of spyware, which allowed its authors to snoop on any user that downloaded infected apps and access personal data, such as device preferences, the contents of their address books and messages, as well as device usage data and inactivity times.

Researchers have named the spyware 'Mandrake', as the criminals behind it were found to be using names of toxic plants for their development branches.

The team also found that Mandrake conducted phishing attacks on applications including Amazon, Gmail, PayPal, Google Chrome, as well as popular cryptocurrency wallet apps such as Lunoor, Coinbase and numerous banking apps from around the world. UK banks were not listed by Bitdefender among the victims.

The creators of the malware attempted to gain a strong presence on the app market and circumvent Google Play security by publishing their own malicious apps, such as OfficeScanner and CoinCast, and generated fake comments and downloads in order to ensure that their application made it to the trending section of Google Play.

The malware developers went to great lengths to ensure their apps came across as legitimate software, including by engaging with negative reviews and comments, and delivering fixes to the apps.

The marketing behind the malicious apps was so extensive that CoinCast not only had an official website, but also a strong social media presence on Facebook, Twitter, Reddit, and YouTube.


IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network


Hackers even tried to evoke trust among its potential victims by listing an address for its OfficeScanner app on its Facebook page, namely the Engineering and Mathematical Sciences Building in Milwaukee, Wisconsin.

Alongside CoinCast and OfficeScanner, Bitdefender also listed Abfix, SnapTune Vid, Currency XE Converter, Horoskope, and Car News as other malicious applications developed by Mandrake operators.

The Bitdefender team estimates "the number of victims in the tens of thousands for the current wave, and probably hundreds of thousands throughout the full 4-year period".

"We can also extrapolate that every victim of Mandrake has most probably been exposed to some form of data theft," they said.

The discovery made by Bitdefender comes weeks after a group of cyber security experts from Cybereason Nocturnus found that a mobile-based trojan was capable of compromising Android's accessibility features in order to steal user data from banking applications and read user's SMS messages, allowing the malware to bypass two-factor authentication.

Sabina Weston

Having only graduated from City University in 2019, Sabina has already demonstrated her abilities as a keen writer and effective journalist. Currently a content writer for Drapers, Sabina spent a number of years writing for ITPro, specialising in networking and telecommunications, as well as charting the efforts of technology companies to improve their inclusion and diversity strategies, a topic close to her heart.

Sabina has also held a number of editorial roles at Harper's Bazaar, Cube Collective, and HighClouds.