Skip to content

S0485 Mandrake

Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.

Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.1

Item Value
ID S0485
Associated Names oxide, briar, ricinus, darkmatter
Version 1.0
Created 15 July 2020
Last Modified 11 September 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
oxide 1
briar 1
ricinus 1
darkmatter 1

Techniques Used

Domain ID Name Use
mobile T1517 Access Notifications Mandrake can capture all device notifications and hide notifications from the user.1
mobile T1407 Download New Code at Runtime Mandrake can download its second (Loader) and third (Core) stages after the dropper is installed.1
mobile T1637 Dynamic Resolution -
mobile T1637.001 Domain Generation Algorithms Mandrake has used domain generation algorithms.1
mobile T1541 Foreground Persistence Mandrake uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon Mandrake can hide its icon on older Android versions.1
mobile T1629 Impair Defenses -
mobile T1629.001 Prevent Application Removal Mandrake can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.1
mobile T1629.003 Disable or Modify Tools Mandrake can disable Play Protect.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion Mandrake can delete all data from an infected device.1
mobile T1544 Ingress Tool Transfer Mandrake can install attacker-specified components or applications.1
mobile T1417 Input Capture -
mobile T1417.002 GUI Input Capture Mandrake can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.1
mobile T1516 Input Injection Mandrake abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.1
mobile T1430 Location Tracking Mandrake can collect the device’s location.1
mobile T1509 Non-Standard Port Mandrake has communicated with the C2 server over TCP port 7777.1
mobile T1406 Obfuscated Files or Information Mandrake obfuscates its hardcoded C2 URLs.1
mobile T1636 Protected User Data -
mobile T1636.003 Contact List Mandrake can access the device’s contact list.1
mobile T1636.004 SMS Messages Mandrake can access SMS messages.1
mobile T1513 Screen Capture Mandrake can record the screen.1
mobile T1582 SMS Control Mandrake can block, forward, hide, and send SMS messages.1
mobile T1418 Software Discovery Mandrake can obtain a list of installed applications.1
mobile T1409 Stored Application Data Mandrake can collect all accounts stored on the device.1
mobile T1632 Subvert Trust Controls -
mobile T1632.001 Code Signing Policy Modification Mandrake can enable app installation from unknown sources.1
mobile T1426 System Information Discovery Mandrake can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.1
mobile T1633 Virtualization/Sandbox Evasion -
mobile T1633.001 System Checks Mandrake can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.1
mobile T1481 Web Service -
mobile T1481.002 Bidirectional Communication Mandrake has used Firebase for C2.1