Skip to content

Hide Navigation Hide TOC

Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)

Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.

Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)

Cluster A Galaxy A Cluster B Galaxy B Level
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware Input Injection - T1516 (d1f1337e-aea7-454c-86bd-482a98ffaf62) Attack Pattern 1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee) Attack Pattern 1
Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad) Attack Pattern 1
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e) Attack Pattern 1
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware Non-Standard Port - T1509 (948a447c-d783-4ba0-8516-a64140fcacd5) Attack Pattern 1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern 1
Foreground Persistence - T1541 (648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
Suppress Application Icon - T1628.001 (f05fc151-aa62-47e3-ae57-2d1b23d64bf6) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern 1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9) Attack Pattern 1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern 1
Domain Generation Algorithms - T1637.001 (fd211238-f767-4599-8c0d-9dca36624626) Attack Pattern Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware 1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307) Malware Code Signing Policy Modification - T1632.001 (fcb11f06-ce0e-490b-bcc1-04a1623579f0) Attack Pattern 1
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee) Attack Pattern 2
System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad) Attack Pattern Virtualization/Sandbox Evasion - T1633 (27d18e87-8f32-4be1-b456-39b90454360f) Attack Pattern 2
Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49) Attack Pattern Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512) Attack Pattern 2
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern 2
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d) Attack Pattern File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63) Attack Pattern 2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f) Attack Pattern Suppress Application Icon - T1628.001 (f05fc151-aa62-47e3-ae57-2d1b23d64bf6) Attack Pattern 2
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9) Attack Pattern Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern 2
Domain Generation Algorithms - T1637.001 (fd211238-f767-4599-8c0d-9dca36624626) Attack Pattern Dynamic Resolution - T1637 (2ccc3d39-9598-4d32-9657-42e1c7095d26) Attack Pattern 2
Subvert Trust Controls - T1632 (79cb02f4-ac4e-4335-8b51-425c9573cce1) Attack Pattern Code Signing Policy Modification - T1632.001 (fcb11f06-ce0e-490b-bcc1-04a1623579f0) Attack Pattern 2