Recently, a security firm uncovered the Mandrake spyware. Read on to know more about it…
A cybersecurity research team has uncovered the Mandrake spying operation targeting Australian mobile banking users. The Bitdefender cybersecurity investigative team has uncovered a new Android spying operation through Mandrake spyware specifically targeting Australian users. The security researchers found the Mandrake spyware earlier this year and believe the highly sophisticated spying platform has been active for at least four years.
Bitdefender said it has seen a rapid spread of attacks in Australia over the last two years, due in large part to Australia’s high mobile banking usage, which sees the country targeted by more banking trojans than any other developed country in the world.
To date, the team has recorded Mandrake subverting Google Chrome, Gmail, ANZ Australia, Commonwealth Bank of Australia, Bank of Melbourne Mobile Banking, Bank of SA, Australian Super, and PayPal apps. Lead investigator Marius Tivadar told ZDNet, from analysing data captured over a two-month period, the team identified 500 unique victims from Australia who had one or multiple devices compromised. He warned that the number could be much higher.
According to Bitdefender, the threat actors behind the campaign have leveraged the rise in the usage of mobile banking in Australia to target individuals. Mandrake is well developed, with a constant evolution over the four-year timeline of adding new features and solving bugs or dropping functionalities.
By analyzing their captured data, the research team could identify 500 victims from Australia so far. However, some experts have said that the number of targeted victims could be much higher.
The well-developed Mandrake spyware has been continuously updated with new features, bug patches, and improved functionalities over a period of four years. The threat actors involved are using the spyware to take on individual targets. In this malicious campaign, the spyware is used to first do a complete scan of the device and capture personal information about the targeted victim. After this, the attackers gain access to the users’ preferences, device usage, inactivity times, and have the ability to record their screens.
Using the Mandrake spyware, the cyber crooks could do anything from credential stealing and information exfiltration, to money transfers and blackmailing. The spyware can also be used to surreptitiously turn the volume of the phone down and block calls or messages. The security researchers noted that the attackers might also be running an affiliate program to sell the victims’ information or access to others.
The first spyware attack wave from the threat actors was observed in 2016-2017 which was directed at targets in the UK, US, Germany, and the Netherlands. The current wave of attacks from 2018-2020 is more focused on Australian users, with little presence in the US, Canada, and Europe.
According to the security researchers, the spyware authors looked to be selectively targeting a “special kind of consumers.” The researchers indicated that Australia may be a lucrative target for the attackers because of its high usage of mobile banking penetration and a high GDP per capita.