securelist.com
Open in
urlscan Pro
158.160.164.142
Public Scan
URL:
https://securelist.com/mandrake-apps-return-to-google-play/113147/
Submission: On August 13 via api from IT — Scanned from IT
Submission: On August 13 via api from IT — Scanned from IT
Form analysis 12 forms found in the DOM
<form>
<fieldset>
<legend class="visuallyhidden">Consent Selection</legend>
<div id="CybotCookiebotDialogBodyFieldsetInnerContainer">
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonNecessary"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Necessari</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper CybotCookiebotDialogBodyLevelButtonSliderWrapperDisabled"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessary"
class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonPreferences"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Preferenze</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferences" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonPreferencesInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonStatistics"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Statistiche</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatistics" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonStatisticsInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonMarketing"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Marketing</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketing" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonMarketingInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
</div>
</fieldset>
</form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessaryInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferencesInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonPreferences"
checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatisticsInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonStatistics"
checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketingInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonMarketing" checked="checked"
tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyContentCheckboxPersonalInformation" class="CybotCookiebotDialogBodyLevelButton"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form>GET https://securelist.com/
<form class="c-page-search__form c-page-search__form--small js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get">
<div class="c-form-element c-form-element--style-fill">
<div class="c-form-element__field wp_autosearch_form_wrapper">
<input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off">
</div>
</div>
<button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use>
</svg></button>
</form>GET https://securelist.com/
<form class="c-page-search__form js-main-search-popup js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get">
<div class="c-form-element c-form-element--style-fill">
<div class="c-form-element__field wp_autosearch_form_wrapper">
<input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off">
</div>
</div>
<button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use>
</svg></button>
</form>POST https://securelist.com/wp-comments-post.php
<form action="https://securelist.com/wp-comments-post.php" method="post" id="loginform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<div class="comment-form-comment"><textarea id="comment" name="comment" style="width:100%" rows="8" aria-required="true" placeholder="Type your comment here"></textarea></div><!-- .comment-form-comment -->
<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required"></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required">
</p>
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfQdrAaAAAAAEb_rTrwlbyc8z0Fa9CMjELY_2Ts",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p class="form-submit"><input name="submit" type="submit" id="commentsubmit" class="submit"
value="Comment"><a rel="nofollow" id="cancel-comment-reply-link" href="/mandrake-apps-return-to-google-play/113147/#respond" style="display:none;">Cancel</a> <input type="hidden" name="comment_post_ID" value="113147" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="8c4167c749"></p>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
value="1723548542136">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /mandrake-apps-return-to-google-play/113147/#gf_1579207247
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_1579207247" id="gform_1579207247" class="subscribe-mc" action="/mandrake-apps-return-to-google-play/113147/#gf_1579207247">
<div class="gform-content-wrapper">
<div class="gform_body gform-body">
<div id="gform_fields_1579207247" class="gform_fields top_label form_sublabel_below description_below">
<div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<div class="ginput_container ginput_container_email">
<div class="fl-wrap fl-wrap-input"><label class="gfield_label screen-reader-text fl-label" for="input_1579207247_1">Email(Required)</label><input name="input_1" id="input_1579207247_1" type="text" value="" class="medium fl-input"
placeholder="Email(Required)" aria-required="true" aria-invalid="false" data-placeholder="Email"></div>
</div>
</div>
<div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_1579207247_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</div>
<fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<legend class="gfield_label screen-reader-text gfield_label_before_complex"><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_1579207247_2">
<div class="gchoice gchoice_11_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_1579207247_11_2_1">
<label for="choice_1579207247_11_2_1" id="label_1579207247_11_2_1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time
via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_footer top_label"> <button type="submit" class="gform_button button" id="gform_submit_button_1579207247" value="Sign up">
<svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use>
</svg> <span>Subscribe</span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_1579207247_11" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_1579207247_11" value="1">
<input type="hidden" name="gform_random_id" value="1579207247"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=sidebar">
</div>
</div>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js"
value="1723548542137">
<script>
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /mandrake-apps-return-to-google-play/113147/#gf_819973600
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_819973600" id="gform_819973600" class="subscribe-mc" action="/mandrake-apps-return-to-google-play/113147/#gf_819973600">
<div class="gform-content-wrapper">
<div class="gform_body gform-body">
<div id="gform_fields_819973600" class="gform_fields top_label form_sublabel_below description_below">
<div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_819973600_1">Email<span
class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_819973600_1" type="text" value="" class="medium" placeholder="Email" aria-required="true" aria-invalid="false">
</div>
</div>
<div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_819973600_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</div>
<fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<legend class="gfield_label screen-reader-text gfield_label_before_complex"><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_819973600_2">
<div class="gchoice gchoice_11_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_819973600_11_2_1">
<label for="choice_819973600_11_2_1" id="label_819973600_11_2_1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time
via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_footer top_label"> <button class="gform_button button" type="submit" id="gform_submit_button_819973600" value="Sign up">
<svg class="o-icon o-svg-icon o-svg-large u-hidden u-inline-block@sm">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use>
</svg> <span class="u-hidden u-inline@sm">Subscribe</span>
<span class="u-hidden@sm"><svg class="o-icon o-svg-icon o-svg-right">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-arrow"></use>
</svg></span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_819973600_11" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_819973600_11" value="1">
<input type="hidden" name="gform_random_id" value="819973600"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=">
</div>
</div>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_3" name="ak_js"
value="1723548542194">
<script>
document.getElementById("ak_js_3").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /mandrake-apps-return-to-google-play/113147/#gf_4247748675
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_4247748675" id="gform_4247748675" class="subscribe-mc" action="/mandrake-apps-return-to-google-play/113147/#gf_4247748675">
<div class="gform-content-wrapper">
<div class="gform_body gform-body">
<div id="gform_fields_4247748675" class="gform_fields top_label form_sublabel_below description_below">
<div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<div class="ginput_container ginput_container_email">
<div class="fl-wrap fl-wrap-input"><label class="gfield_label screen-reader-text fl-label" for="input_4247748675_1">Email(Required)</label><input name="input_1" id="input_4247748675_1" type="text" value="" class="medium fl-input"
placeholder="Email(Required)" aria-required="true" aria-invalid="false" data-placeholder="Email"></div>
</div>
</div>
<div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_4247748675_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</div>
<fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<legend class="gfield_label screen-reader-text gfield_label_before_complex"><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_4247748675_2">
<div class="gchoice gchoice_11_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_4247748675_11_2_1">
<label for="choice_4247748675_11_2_1" id="label_4247748675_11_2_1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time
via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_footer top_label"> <button type="submit" class="gform_button button" id="gform_submit_button_4247748675" value="Sign up">
<svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use>
</svg> <span>Subscribe</span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_4247748675_11" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_4247748675_11" value="1">
<input type="hidden" name="gform_random_id" value="4247748675"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=sidebar">
</div>
</div>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_4" name="ak_js"
value="1723548542198">
<script>
document.getElementById("ak_js_4").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Text Content
Powered by Cookiebot
* Consenso
* Dettagli
* [#IABV2SETTINGS#]
* Informazioni sui cookie
QUESTO SITO WEB UTILIZZA I COOKIE
Utilizziamo i cookie per personalizzare contenuti ed annunci, per fornire
funzionalità dei social media e per analizzare il nostro traffico. Condividiamo
inoltre informazioni sul modo in cui utilizza il nostro sito con i nostri
partner che si occupano di analisi dei dati web, pubblicità e social media, i
quali potrebbero combinarle con altre informazioni che ha fornito loro o che
hanno raccolto dal suo utilizzo dei loro servizi.
Consent Selection
Necessari
Preferenze
Statistiche
Marketing
Mostra dettagli
* Necessari 12
I cookie necessari contribuiscono a rendere fruibile il sito web abilitandone
funzionalità di base quali la navigazione sulle pagine e l'accesso alle aree
protette del sito. Il sito web non è in grado di funzionare correttamente
senza questi cookie.
* Adobe Inc.
1
Per saperne di più su questo fornitore
demdexTramite un ID univoco utilizzato per l'analisi semantica dei
contenuti, la registrazione della navigazione dell'utente sul sito e
l'integrazione a dati offline di indagini e per registrazioni simili al
fine di visualizzare pubblicità mirate.
Scadenza: 180 giorniTipo: Cookie HTTP
* Cookiebot
2
Per saperne di più su questo fornitore
CookieConsent [x2]Memorizza lo stato del consenso ai cookie dell'utente
per il dominio corrente
Scadenza: 1 annoTipo: Cookie HTTP
* Google
3
Per saperne di più su questo fornitore
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
test_cookieUtilizzato per verificare se il browser dell'utente supporta i
cookie.
Scadenza: 1 giornoTipo: Cookie HTTP
rc::aQuesto cookie è usato per distinguere tra umani e robot. Questo è
utile per il sito web, al fine di rendere validi rapporti sull'uso del
sito.
Scadenza: PersistenteTipo: Archiviazione locale HTML
rc::cQuesto cookie è usato per distinguere tra umani e robot.
Scadenza: SessioneTipo: Archiviazione locale HTML
* Kaspersky Lab
6
Per saperne di più su questo fornitore
AMCV_# [x2]ID utente unico che riconosce l'utente che ritorna
Scadenza: 2 anniTipo: Cookie HTTP
AMCVS_#AdobeOrg [x2]In attesa
Scadenza: SessioneTipo: Cookie HTTP
test [x2]Utilizzato per rilevare se il visitatore ha accettato la
categoria di marketing nel banner dei cookie. Questo cookie è necessario
per la conformità GDPR del sito web.
Scadenza: SessioneTipo: Cookie HTTP
* Preferenze 1
I cookie di preferenza consentono al sito web di memorizzare informazioni che
ne influenzano il comportamento o l'aspetto, quali la lingua preferita o la
località nella quale ti trovi.
* Kaspersky Lab
1
Per saperne di più su questo fornitore
sfcsrftokenIn attesa
Scadenza: 1 annoTipo: Cookie HTTP
* Statistiche 12
I cookie statistici aiutano i proprietari del sito web a capire come i
visitatori interagiscono con i siti raccogliendo e trasmettendo informazioni
in forma anonima.
* Google
8
Per saperne di più su questo fornitore
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
_ga [x4]Registra un ID univoco utilizzato per generare dati statistici su
come il visitatore utilizza il sito internet.
Scadenza: 2 anniTipo: Cookie HTTP
_gid [x2]Registra un ID univoco utilizzato per generare dati statistici su
come il visitatore utilizza il sito internet.
Scadenza: 1 giornoTipo: Cookie HTTP
_ga_# [x2] Utilizzato da Google Analytics per raccogliere dati sul numero
di volte che un utente ha visitato il sito internet, oltre che le dati per
la prima visita e la visita più recente.
Scadenza: 2 anniTipo: Cookie HTTP
* Kaspersky Lab
3
Per saperne di più su questo fornitore
b/ss/#/1/#/s#Registra dati sul comportamento dei visitatori sul sito web.
Queste informazioni sono usate per l'analisi interna e l'ottimizzazione
del sito web.
Scadenza: SessioneTipo: Pixel Tracker
s_cc [x2]Utilizzato per verificare se il browser dell'utente supporta i
cookie.
Scadenza: SessioneTipo: Cookie HTTP
* Linkedin
1
Per saperne di più su questo fornitore
browser_idUtilizzato per riconoscere il browser dell'utente al momento del
rientro sul sito web.
Scadenza: 5 anniTipo: Cookie HTTP
* Marketing 43
I cookie di marketing vengono utilizzati per tracciare i visitatori sui siti
web. La finalità è quella di presentare annunci pubblicitari che siano
rilevanti e coinvolgenti per il singolo utente e quindi di maggior valore per
editori e inserzionisti di terze parti.
* Meta Platforms, Inc.
5
Per saperne di più su questo fornitore
fbssls_#Raccoglie dati sull'uso da parte del visitatore del sistema di
commenti sul sito web e su quali blog / articoli ha letto. Questo può
essere usato per scopi di marketing.
Scadenza: SessioneTipo: Archiviazione locale HTML
lastExternalReferrerRileva come l'utente ha raggiunto il sito internet,
registrando il suo precedente URL, ovvero il sito web da cui proviene.
Scadenza: PersistenteTipo: Archiviazione locale HTML
lastExternalReferrerTimeRileva come l'utente ha raggiunto il sito
internet, registrando il suo precedente URL, ovvero il sito web da cui
proviene.
Scadenza: PersistenteTipo: Archiviazione locale HTML
_fbp [x2]Utilizzato da Facebook per fornire una serie di prodotti
pubblicitari come offerte in tempo reale da inserzionisti terzi.
Scadenza: 3 mesiTipo: Cookie HTTP
* Adobe Inc.
1
Per saperne di più su questo fornitore
_dpQuesto cookie viene impostato dal gestore dell’audience di un sito per
determinare se possono essere inviati ulteriori cookie di terze parti al
browser del visitatore; i cookie di terze parti vengono utilizzati per
raccogliere informazioni o monitorare il comportamento del visitatore su
diversi siti. I cookie di terze parti vengono impostati da un sito o una
società di terze parti.
Scadenza: SessioneTipo: Cookie HTTP
* BrightTalk
1
Per saperne di più su questo fornitore
ga_clientIdUtilizzato per inviare dati a Google Analytics in merito al
dispositivo e al comportamento dell'utente. Tiene traccia dell'utente su
dispositivi e canali di marketing.
Scadenza: PersistenteTipo: Archiviazione locale HTML
* Google
7
Per saperne di più su questo fornitore
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
IDEUtilizzato da Google DoubleClick per registrare e produrre resoconti
sulle azioni dell'utente sul sito dopo aver visualizzato o cliccato una
delle pubblicità dell'inserzionista al fine di misurare l'efficacia di una
pubblicità e presentare pubblicità mirata all'utente.
Scadenza: 400 giorniTipo: Cookie HTTP
receive-cookie-deprecationRaccoglie informazioni sul comportamento degli
utenti su più siti web. Questa informazione è utilizzata al fine di
ottimizzare la rilevanza della pubblicità.
Scadenza: 180 giorniTipo: Cookie HTTP
NIDRegistra un ID univoco che identifica il dispositivo dell'utente che
ritorna sul sito. L'ID viene utilizzato per pubblicità mirate.
Scadenza: 6 mesiTipo: Cookie HTTP
pagead/1p-conversion/#/In attesa
Scadenza: SessioneTipo: Pixel Tracker
_gcl_au [x2]Utilizzato da Google AdSense per sperimentare l'efficacia
pubblicitaria su tutti i siti web che utilizzano i loro servizi.
Scadenza: 3 mesiTipo: Cookie HTTP
AwinChannelCookieIn attesa
Scadenza: SessioneTipo: Cookie HTTP
* Marketo
3
Per saperne di più su questo fornitore
__cf_bmQuesto cookie è usato per distinguere tra umani e robot. Questo è
utile per il sito web, al fine di rendere validi rapporti sull'uso del
sito.
Scadenza: 1 giornoTipo: Cookie HTTP
BIGipServer#Utilizzato per distribuire traffico sul sito su diversi server
per ottimizzare i tempi di risposta.
Scadenza: SessioneTipo: Cookie HTTP
_mkto_trkContiene dati sul comportamento dei visitatori e sull'interazione
col sito web. Questo è utilizzato nel contesto del servizio di email
marketing Marketo.com, che consente al sito web di indirizzare i
visitatori via e-mail.
Scadenza: 2 anniTipo: Cookie HTTP
* Meta Platforms, Inc.
1
Per saperne di più su questo fornitore
frIn attesa
Scadenza: 3 mesiTipo: Cookie HTTP
* Twitter Inc.
2
Per saperne di più su questo fornitore
i/jot/embedsImposta un ID univoco per il visitatore, che consente agli
inserzionisti di terze parti di indirizzare pubblicità pertinente al
visitatore. Questo servizio di abbinamento è fornito da hub di pubblicità
di terze parti, che facilitano le offerte in tempo reale per gli
inserzionisti.
Scadenza: SessioneTipo: Pixel Tracker
RichHistoryRaccoglie dati sulle preferenze e sul comportamento dei
visitatori sul sito web - Queste informazioni vengono utilizzate per
rendere il contenuto e la pubblicità più pertinenti per il visitatore
specifico.
Scadenza: SessioneTipo: Archiviazione locale HTML
* YouTube
23
Per saperne di più su questo fornitore
#-#Utilizzato per tracciare l'interazione dell'utente con i contenuti
incorporati.
Scadenza: SessioneTipo: Archiviazione locale HTML
619e15af-c2a268In attesa
Scadenza: SessioneTipo: Archiviazione locale HTML
-e215e7-6cddbdc8In attesa
Scadenza: SessioneTipo: Archiviazione locale HTML
iU5q-!O9@$Registra un ID univoco per statistiche legate a quali video
YouTube sono stati visualizzati dall'utente.
Scadenza: SessioneTipo: Archiviazione locale HTML
LAST_RESULT_ENTRY_KEYUtilizzato per tracciare l'interazione dell'utente
con i contenuti incorporati.
Scadenza: SessioneTipo: Cookie HTTP
LogsDatabaseV2:V#||LogsRequestsStoreUtilizzato per tracciare l'interazione
dell'utente con i contenuti incorporati.
Scadenza: PersistenteTipo: IndexedDB
nextIdUtilizzato per tracciare l'interazione dell'utente con i contenuti
incorporati.
Scadenza: SessioneTipo: Cookie HTTP
remote_sidNecessario per l'implementazione e la funzionalità dei contenuti
video di YouTube sul sito.
Scadenza: SessioneTipo: Cookie HTTP
requestsUtilizzato per tracciare l'interazione dell'utente con i contenuti
incorporati.
Scadenza: SessioneTipo: Cookie HTTP
ServiceWorkerLogsDatabase#SWHealthLogNecessario per l'implementazione e la
funzionalità dei contenuti video di YouTube sul sito.
Scadenza: PersistenteTipo: IndexedDB
TESTCOOKIESENABLEDUtilizzato per tracciare l'interazione dell'utente con i
contenuti incorporati.
Scadenza: 1 giornoTipo: Cookie HTTP
VISITOR_INFO1_LIVEProva a stimare la velocità della connessione
dell'utente su pagine con video YouTube integrati.
Scadenza: 180 giorniTipo: Cookie HTTP
YSCRegistra un ID univoco per statistiche legate a quali video YouTube
sono stati visualizzati dall'utente.
Scadenza: SessioneTipo: Cookie HTTP
yt.innertube::nextIdRegistra un ID univoco per statistiche legate a quali
video YouTube sono stati visualizzati dall'utente.
Scadenza: PersistenteTipo: Archiviazione locale HTML
ytidb::LAST_RESULT_ENTRY_KEYMemorizza le preferenze del lettore video
dell'utente usando il video YouTube incorporato
Scadenza: PersistenteTipo: Archiviazione locale HTML
YtIdbMeta#databasesUtilizzato per tracciare l'interazione dell'utente con
i contenuti incorporati.
Scadenza: PersistenteTipo: IndexedDB
yt-remote-cast-availableMemorizza le preferenze del lettore video
dell'utente usando il video YouTube incorporato
Scadenza: SessioneTipo: Archiviazione locale HTML
yt-remote-cast-installedMemorizza le preferenze del lettore video
dell'utente usando il video YouTube incorporato
Scadenza: SessioneTipo: Archiviazione locale HTML
yt-remote-connected-devicesMemorizza le preferenze del lettore video
dell'utente usando il video YouTube incorporato
Scadenza: PersistenteTipo: Archiviazione locale HTML
yt-remote-device-idMemorizza le preferenze del lettore video dell'utente
usando il video YouTube incorporato
Scadenza: PersistenteTipo: Archiviazione locale HTML
yt-remote-fast-check-periodMemorizza le preferenze del lettore video
dell'utente usando il video YouTube incorporato
Scadenza: SessioneTipo: Archiviazione locale HTML
yt-remote-session-appMemorizza le preferenze del lettore video dell'utente
usando il video YouTube incorporato
Scadenza: SessioneTipo: Archiviazione locale HTML
yt-remote-session-nameMemorizza le preferenze del lettore video
dell'utente usando il video YouTube incorporato
Scadenza: SessioneTipo: Archiviazione locale HTML
* Non classificati 1
I cookie non classificati sono i cookie che sono in fase di classificazione,
insieme ai fornitori di cookie individuali.
* Meta Platforms, Inc.
1
Per saperne di più su questo fornitore
__test__#In attesa
Scadenza: SessioneTipo: Archiviazione locale HTML
Consenso interdominio2 Il tuo consenso si applica ai seguenti siti web:
Lista dei domini a cui si applica il tuo consenso: securelist.lat securelist.com
Dichiarazione Cookie aggiornata l'ultima volta il 27/07/24 da Cookiebot
[#IABV2_TITLE#]
[#IABV2_BODY_INTRO#]
[#IABV2_BODY_LEGITIMATE_INTEREST_INTRO#]
[#IABV2_BODY_PREFERENCE_INTRO#]
[#IABV2_LABEL_PURPOSES#]
[#IABV2_BODY_PURPOSES_INTRO#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_LABEL_FEATURES#]
[#IABV2_BODY_FEATURES_INTRO#]
[#IABV2_BODY_FEATURES#]
[#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PARTNERS_INTRO#]
[#IABV2_BODY_PARTNERS#]
I cookie sono piccoli file di testo che possono essere utilizzati dai siti web
per rendere più efficiente l'esperienza per l'utente.
La legge afferma che possiamo memorizzare i cookie sul suo dispositivo se sono
strettamente necessari per il funzionamento di questo sito. Per tutti gli altri
tipi di cookie abbiamo bisogno del suo permesso.
Questo sito utilizza diversi tipi di cookie. Alcuni cookie sono collocate da
servizi di terzi che compaiono sulle nostre pagine.
In qualsiasi momento è possibile modificare o revocare il proprio consenso dalla
Dichiarazione dei cookie sul nostro sito Web.
Scopra di più su chi siamo, come può contattarci e come trattiamo i dati
personali nella nostra Informativa sulla privacy.
Specifica l’ID del tuo consenso e la data di quando ci hai contattati per quanto
riguarda il tuo consenso.
Non vendere né condividere le mie informazioni personali
Usa solo i cookie necessari Accetta selezionati Personalizza
Accetta tutti i cookie
Powered by Cookiebot by Usercentrics
Solutions for:
* Home Products
* Small Business 1-50 employees
* Medium Business 51-999 employees
* Enterprise 1000+ employees
by Kaspersky
* CompanyAccount
* Get In Touch
* Dark mode off
* English
* Russian
* Spanish
* Solutions
* * Internet of Things & Embedded Security
Learn More
* Industrial Cybersecurity
Learn More
* Fraud Prevention
Learn More
* KasperskyOS-based solutions
Learn More
* * OTHER SOLUTIONS
* Kaspersky for Security Operations Center
* Kaspersky IoT Infrastructure Security
* Kaspersky Secure Remote Workspace
* Industries
* * National Cybersecurity
Learn More
* Industrial Cybersecurity
Learn More
* Finance Services Cybersecurity
Learn More
* Healthcare Cybersecurity
Learn More
* Transportation Cybersecurity
Learn More
* Retail Cybersecurity
Learn More
* * OTHER INDUSTRIES
* Telecom Cybersecurity
* View all
* Products
* * Kaspersky Next NEW!
Learn More
* KasperskyXDR
Learn More
* KasperskyEndpoint Security for Business
Learn More
* KasperskyEDR Expert
Learn More
* KasperskyEDR Optimum
Learn More
* KasperskyAnti Targeted Attack Platform
Learn More
* KasperskyHybrid Cloud Security
Learn More
* KasperskySD-WAN
Learn More
* KasperskyIndustrial CyberSecurity
Learn More
* KasperskyContainer Security
Learn More
* * OTHER PRODUCTS
* Kaspersky Security for Internet Gateway
* Kaspersky Embedded Systems Security
* Kaspersky IoT Infrastructure Security
* Kaspersky Secure Remote Workspace
* Kaspersky Security for Mail Server
* View All
* Services
* * KasperskyCybersecurity Services
Learn More
* KasperskySecurity Awareness
Learn More
* KasperskyPremium Support
Learn More
* KasperskyThreat Intelligence
Learn More
* KasperskyManaged Detection and Response
Learn More
* KasperskyCompromise Assessment
Learn More
* KasperskySOC Consulting
Learn More
* * OTHER SERVICES
* Kaspersky Professional Services
* Kaspersky Incident Response
* Kaspersky Cybersecurity Training
* Kaspersky Incident Communications
* Kaspersky Adaptive Online Training
* View All
* Resource Center
* Case Studies
* White Papers
* Datasheets
* Technologies
* MITRE ATT&CK
* About Us
* Transparency
* Corporate News
* Press Center
* Careers
* Innovation Hub
* Sponsorship
* Policy Blog
* Contacts
* GDPR
* Subscribe Dark mode off Login
* Securelist menu
* English
* Russian
* Spanish
* Existing Customers
* Personal
* My Kaspersky
* Renew your product
* Update your product
* Customer support
* Business
* KSOS portal
* Kaspersky Business Hub
* Technical Support
* Knowledge Base
* Renew License
* Home
* Products
* Trials&Update
* Resource Center
* Business
* Kaspersky Next
* Small Business (1-50 employees)
* Medium Business (51-999 employees)
* Enterprise (1000+ employees)
*
* Securelist
* Threats
* Financial threats
* Mobile threats
* Web threats
* Secure environment (IoT)
* Vulnerabilities and exploits
* Spam and Phishing
* Industrial threats
* Categories
* APT reports
* Incidents
* Research
* Malware reports
* Spam and phishing reports
* Publications
* Kaspersky Security Bulletin
* Archive
* All Tags
* APT Logbook
* Webinars
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2021
*
* About Us
* Company
* Transparency
* Corporate News
* Press Center
* Careers
* Sponsorships
* Policy Blog
* Contacts
* Partners
* Find a Partner
* Partner Program
Content menu Close
Subscribe
by Kaspersky
Dark mode off
Threats
Threats
* APT (Targeted attacks)
* Secure environment (IoT)
* Mobile threats
* Financial threats
* Spam and phishing
* Industrial threats
* Web threats
* Vulnerabilities and exploits
Categories
Categories
* APT reports
* Malware descriptions
* Security Bulletin
* Malware reports
* Spam and phishing reports
* Security technologies
* Research
* Publications
Other sections
* Archive
* All tags
* Webinars
* APT Logbook
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2023
Malware descriptions
MANDRAKE SPYWARE SNEAKS ONTO GOOGLE PLAY AGAIN, FLYING UNDER THE RADAR FOR TWO
YEARS
Malware descriptions
29 Jul 2024
10 minute read
Table of Contents
* Introduction
* Technical details
* Background
* Applications
* Malware implant
* Infection chain
* Second-stage commands:
* Third stage commands:
* Data decryption methods
* Installing next-stage applications
* Sandbox evasion techniques and environment checks
* C2 communication
* Attribution
* Victims
* Conclusions
* Indicators of Compromise
Authors
* Tatyana Shishkova
* Igor Golovin
INTRODUCTION
In May 2020, Bitdefender released a white paper containing a detailed analysis
of Mandrake, a sophisticated Android cyber-espionage platform, which had been
active in the wild for at least four years.
In April 2024, we discovered a suspicious sample that appeared to be a new
version of Mandrake. Ensuing analysis revealed as many as five Mandrake
applications, which had been available on Google Play from 2022 to 2024 with
more than 32,000 installs in total, while staying undetected by any other
vendor. The new samples included new layers of obfuscation and evasion
techniques, such as moving malicious functionality to obfuscated native
libraries, using certificate pinning for C2 communications, and performing a
wide array of tests to check if Mandrake was running on a rooted device or in an
emulated environment.
Our findings, in a nutshell, were as follows.
* After a two-year break, the Mandrake Android spyware returned to Google Play
and lay low for two years.
* The threat actors have moved the core malicious functionality to native
libraries obfuscated with OLLVM.
* Communication with command-and-control servers (C2) uses certificate pinning
to prevent capture of SSL traffic.
* Mandrake is equipped with a diverse arsenal of sandbox evasion and
anti-analysis techniques.
Kaspersky products detect this threat as HEUR:Trojan-Spy.AndroidOS.Mandrake.*.
TECHNICAL DETAILS
BACKGROUND
The original Mandrake campaign with its two major infection waves, in 2016–2017
and 2018–2020, was analyzed by Bitdefender in May 2020. After the Bitdefender
report was published, we discovered one more sample associated with the
campaign, which was still available on Google Play.
The Mandrake application from the previous campaign on Google Play
In April 2024, we found a suspicious sample that turned out to be a new version
of Mandrake. The main distinguishing feature of the new Mandrake variant was
layers of obfuscation designed to bypass Google Play checks and hamper analysis.
We discovered five applications containing Mandrake, with more than 32,000 total
downloads. All these were published on Google Play in 2022 and remained
available for at least a year. The newest app was last updated on March 15, 2024
and removed from Google Play later that month. As at July 2024, none of the apps
had been detected as malware by any vendor, according to VirusTotal.
Mandrake samples on VirusTotal
APPLICATIONS
Package name App name MD5 Developer Released Last updated on Google Play
Downloads com.airft.ftrnsfr AirFS 33fdfbb1acdc226eb177eb42f3d22db4 it9042 Apr
28,
2022 Mar 15,
2024 30,305 com.astro.dscvr Astro Explorer 31ae39a7abeea3901a681f847199ed88
shevabad May 30,
2022 Jun 06,
2023 718 com.shrp.sght Amber b4acfaeada60f41f6925628c824bb35e kodaslda Feb 27,
2022 Aug 19,
2023 19 com.cryptopulsing.browser CryptoPulsing e165cda25ef49c02ed94ab524fafa938
shevabad Nov 02,
2022 Jun 06,
2023 790 com.brnmth.mtrx Brain Matrix – kodaslda Apr 27,
2022 Jun 06,
2023 259
Mandrake applications on Google Play
We were not able to get the APK file for com.brnmth.mtrx, but given the
developer and publication date, we assume with high confidence that it contained
Mandrake spyware.
Application icons
MALWARE IMPLANT
The focus of this report is an application named AirFS, which was offered on
Google Play for two years and last updated on March 15, 2024. It had the biggest
number of downloads: more than 30,000. The malware was disguised as a file
sharing app.
AirFS on Google Play
According to reviews, several users noticed that the app did not work or stole
data from their devices.
Application reviews
INFECTION CHAIN
Like the previous versions of Mandrake described by Bitdefender, applications in
the latest campaign work in stages: dropper, loader and core. Unlike the
previous campaign where the malicious logic of the first stage (dropper) was
found in the application DEX file, the new versions hide all the first-stage
malicious activity inside the native library libopencv_dnn.so, which is harder
to analyze and detect than DEX files. This library exports functions to decrypt
the next stage (loader) from the assets/raw folder.
Contents of the main APK file
Interestingly, the sample com.shrp.sght has only two stages, where the loader
and core capabilities are combined into one APK file, which the dropper decrypts
from its assets.
While in the past Mandrake campaigns we saw different branches (“oxide”,
“briar”, “ricinus”, “darkmatter”), the current campaign is related to the
“ricinus” branch. The second- and third-stage files are named
“ricinus_airfs_3.4.0.9.apk”, “ricinus_dropper_core_airfs_3.4.1.9.apk”,
“ricinus_amber_3.3.8.2.apk” and so on.
When the application starts, it loads the native library:
Loading the native library
To make detection harder, the first-stage native library is heavily obfuscated
with the OLLVM obfuscator. Its main goal is to decrypt and load the second
stage, named “loader“. After unpacking, decrypting and loading into memory the
second-stage DEX file, the code calls the method dex_load and executes the
second stage. In this method, the second-stage native library path is added to
the class loader, and the second-stage main activity and service start. The
application then shows a notification that asks for permission to draw overlays.
When the main service starts, the second-stage native library libopencv_java3.so
is loaded, and the certificate for C2 communications, which is placed in the
second-stage assets folder, is decrypted. The treat actors used an IP address
for C2 communications, and if the connection could not be established, the
malware tried to connect to more domains. After successfully connecting, the app
sends information about the device, including the installed applications, mobile
network, IP address and unique device ID, to the C2. If the threat actors find
their target relevant on the strength of that data, they respond with a command
to download and run the “core” component of Mandrake. The app then downloads,
decrypts and executes the third stage (core), which contains the main malware
functionality.
SECOND-STAGE COMMANDS:
Command Description start Start activity cup Set wakelock, enable Wi-Fi, and
start main parent service cdn Start main service stat Collect information about
connectivity status, battery optimization, “draw overlays” permission, adb
state, external IP, Google Play version apps Report installed applications
accounts Report user accounts battery Report battery percentage home Start
launcher app hide Hide launcher icon unload Restore launcher icon core Start
core loading clean Remove downloaded core over Request “draw overlays”
permission opt Grant the app permission to run in the background
THIRD STAGE COMMANDS:
Command Description start Start activity duid Change UID cup Set wakelock,
enable Wi-Fi, and start main parent service cdn Start main service stat Collect
information about connectivity status, battery optimization, “draw overlays”
permission, adb state, external IP, Google Play version apps Report installed
applications accounts Report user accounts battery Report battery percentage
home Start launcher app hide Hide launcher icon unload Restore launcher icon
restart Restart application apk Show application install notification start_v
Load an interactive webview overlay with a custom implementation of screen
sharing with remote access, commonly referred to by the malware developers “VNC”
start_a Load webview overlay with automation stop_v Unload webview overlay
start_i, start_d Load webview overlay with screen record stop_i Stop webview
overlay upload_i, upload_d Upload screen record over Request “draw overlays”
permission opt Grant the app permission to run in the background
When Mandrake receives a start_v command, the service starts and loads the
specified URL in an application-owned webview with a custom JavaScript
interface, which the application uses to manipulate the web page it loads.
While the page is loading, the application establishes a websocket connection
and starts taking screenshots of the page at regular intervals, while encoding
them to base64 strings and sending these to the C2 server. The attackers can use
additional commands to adjust the frame rate and quality. The threat actors call
this “vnc_stream”. At the same time, the C2 server can send back control
commands that make application execute actions, such as swipe to a given
coordinate, change the webview size and resolution, switch between the desktop
and mobile page display modes, enable or disable JavaScript execution, change
the User Agent, import or export cookies, go back and forward, refresh the
loaded page, zoom the loaded page and so on.
When Mandrake receives a start_i command, it loads a URL in a webview, but
instead of initiating a “VNC” stream, the C2 server starts recording the screen
and saving the record to a file. The recording process is similar to the “VNC”
scenario, but screenshots are saved to a video file. Also in this mode, the
application waits until the user enters their credentials on the web page and
then collects cookies from the webview.
The start_a command allows running automated actions in the context of the
current page, such as swipe, click, etc. If this is the case, Mandrake downloads
automation scenarios from the URL specified in the command options. In this
mode, the screen is also recorded.
Screen recordings can be uploaded to the C2 with the upload_i or upload_d
commands.
The main goals of Mandrake are to steal the user’s credentials, and download and
execute next-stage malicious applications.
DATA DECRYPTION METHODS
Data encryption and decryption logic is similar across different Mandrake
stages. In this section, we will describe the second-stage data decryption
methods.
The second-stage native library libopencv_java3.so contains AES-encrypted C2
domains, and keys for configuration data and payload decryption. Encrypted
strings are mixed with plain text strings.
To get the length of the string, Mandrake XORs the first three bytes of the
encrypted array, then uses the first two bytes of the array as keys for custom
XOR encoding.
Strings decryption algorithm
The key and IV for decrypting AES-encrypted data are encoded in the same way,
with part of the data additionally XORed with constants.
AES key decryption
Mandrake uses the OpenSSL library for AES decryption, albeit in quite a strange
way. The encrypted file is divided into 16-byte blocks, each of these decrypted
with AES-CFB128.
The encrypted certificate for C2 communication is located in the assets/raw
folder of the second stage as a file named cart.raw, which is decrypted using
the same algorithm.
INSTALLING NEXT-STAGE APPLICATIONS
When Mandrake gets an apk command from the C2, it downloads a new separate APK
file with an additional module and shows the user a notification that looks like
something they would receive from Google Play. The user clicking the
notification initiates the installation process.
Android 13 introduced the “Restricted Settings” feature, which prohibits
sideloaded applications from directly requesting dangerous permissions. To
bypass this feature, Mandrake processes the installation with a “session-based”
package installer.
Installing additional applications
SANDBOX EVASION TECHNIQUES AND ENVIRONMENT CHECKS
While the main goal of Mandrake remains unchanged from past campaigns, the code
complexity and quantity of the emulation checks have significantly increased in
recent versions to prevent the code from being executed in environments operated
by malware analysts. However, we were able to bypass these restrictions and
discovered the changes described below.
The versions of the malware discovered earlier contained only a basic emulation
check routine.
Emulator checks in an older Mandrake version
In the new version, we discovered more checks.
To start with, the threat actors added Frida detection. When the application
starts, it loads the first-stage native library libopencv_dnn.so. The init_array
section of this library contains the Frida detector function call. The threat
actors used the DetectFrida method. First, it computes the CRC of all libraries,
then it starts a Frida detect thread. Every five seconds, it checks that
libraries in memory have not been changed. Additionally, it checks for Frida
presence by looking for specific thread and pipe names used by Frida. So, when
an analyst tries to use Frida against the application, execution is terminated.
Even if you use a custom build of Frida and try to hook a function in the native
library, the app detects the code change and terminates.
Next, after collecting device information to make a request for the next stage,
the application checks the environment to find out if the device is rooted and
if there are analyst tools installed. Unlike some other threat actors who seek
to take advantage of root access, Mandrake developers consider a rooted device
dangerous, as average users, their targets, do not typically root their phones.
First, Mandrake tries to find a su binary, a SuperUser.apk, Busybox or Xposed
framework, and Magisk and Saurik Substrate files. Then it checks if the system
partition is mounted as read-only. Next, it checks if development settings and
ADB are enabled. And finally, it checks for the presence of a Google account and
Google Play application on the device.
C2 COMMUNICATION
All C2 communications are maintained via the native part of the applications,
using an OpenSSL static compiled library.
To prevent network traffic sniffing, Mandrake uses an encrypted certificate,
decrypted from the assets/raw folder, to secure C2 communications. The client
needs to be verified by this certificate, so an attempt to capture SSL traffic
results in a handshake failure and a breakdown in communications. Still, any
packets sent to the C2 are saved locally for additional AES encryption, so we
are able to look at message content. Mandrake uses a custom JSON-like
serialization format, the same as in previous campaigns.
Example of a C2 request:
node #1 { uid "a1c445f10336076b"; request "1000"; data_1
"32|3.1.1|HWLYO-L6735|26202|de||ricinus_airfs_3.4.0.9|0|0|0||0|0|0|0|Europe/Berlin||180|2|1|41|115|0|0|0|0|loader|0|0|secure_environment||0|0|1|0||0|85.214.132.126|0|1|38.6.10-21
[0] [PR] 585796312|0|0|0|0|0|"; data_2 "loader"; dt 1715178379; next #2; } node
#2 { uid "a1c445f10336076b"; request "1010"; data_1 "ricinus_airfs_3.4.0.9";
data_2 ""; dt 1715178377; next #3; } node #3 { uid "a1c445f10336076b"; request
"1003"; data_1
"com.airft.ftrnsfr\n\ncom.android.calendar\n\[redacted]\ncom.android.stk\n\n";
data_2 ""; dt 1715178378; next NULL; }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
node #1
{
uid "a1c445f10336076b";
request "1000";
data_1
"32|3.1.1|HWLYO-L6735|26202|de||ricinus_airfs_3.4.0.9|0|0|0||0|0|0|0|Europe/Berlin||180|2|1|41|115|0|0|0|0|loader|0|0|secure_environment||0|0|1|0||0|85.214.132.126|0|1|38.6.10-21
[0] [PR] 585796312|0|0|0|0|0|";
data_2 "loader";
dt 1715178379;
next #2;
}
node #2
{
uid "a1c445f10336076b";
request "1010";
data_1 "ricinus_airfs_3.4.0.9";
data_2 "";
dt 1715178377;
next #3;
}
node #3
{
uid "a1c445f10336076b";
request "1003";
data_1
"com.airft.ftrnsfr\n\ncom.android.calendar\n\[redacted]\ncom.android.stk\n\n";
data_2 "";
dt 1715178378;
next NULL;
}
Example of a C2 response:
node #1 { response "a1c445f10336076b"; command "1035"; data_1 ""; data_2 ""; dt
"0"; next #2; } node #2 { response "a1c445f10336076b"; command "1022"; data_1
"20"; data_2 "1"; dt "0"; next #3; } node #3 { response "a1c445f10336076b";
command "1027"; data_1 "1"; data_2 ""; dt "0"; next #4; } node #4 { response
"a1c445f10336076b"; command "1010"; data_1
"ricinus_dropper_core_airfs_3.4.1.9.apk"; data_2 "60"; dt "0"; next NULL; }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
node #1
{
response "a1c445f10336076b";
command "1035";
data_1 "";
data_2 "";
dt "0";
next #2;
}
node #2
{
response "a1c445f10336076b";
command "1022";
data_1 "20";
data_2 "1";
dt "0";
next #3;
}
node #3
{
response "a1c445f10336076b";
command "1027";
data_1 "1";
data_2 "";
dt "0";
next #4;
}
node #4
{
response "a1c445f10336076b";
command "1010";
data_1 "ricinus_dropper_core_airfs_3.4.1.9.apk";
data_2 "60";
dt "0";
next NULL;
}
Mandrake uses opcodes from 1000 to 1058. The same opcode can represent different
actions depending on whether it is used for a request or a response. See below
for examples of this.
* Request opcode 1000: send device information;
* Request opcode 1003: send list of installed applications;
* Request opcode 1010: send information about the component;
* Response opcode 1002: set contact rate (client-server communication);
* Response opcode 1010: install next-stage APK;
* Response opcode 1011: abort next-stage install;
* Response opcode 1022: request user to allow app to run in background;
* Response opcode 1023: abort request to allow app to run in background;
* Response opcode 1027: change application icon to default or Wi-Fi service
icon.
ATTRIBUTION
Considering the similarities between the current campaign and the previous one,
and the fact that the C2 domains are registered in Russia, we assume with high
confidence that the threat actor is the same as stated in the Bitdefender’s
report.
VICTIMS
The malicious applications on Google Play were available in a wide range of
countries. Most of the downloads were from Canada, Germany, Italy, Mexico,
Spain, Peru and the UK.
CONCLUSIONS
The Mandrake spyware is evolving dynamically, improving its methods of
concealment, sandbox evasion and bypassing new defense mechanisms. After the
applications of the first campaign stayed undetected for four years, the current
campaign lurked in the shadows for two years, while still available for download
on Google Play. This highlights the threat actors’ formidable skills, and also
that stricter controls for applications before being published in the markets
only translate into more sophisticated, harder-to-detect threats sneaking into
official app marketplaces.
INDICATORS OF COMPROMISE
File Hashes
141f09c5d8a7af85dde2b7bfe2c89477
1b579842077e0ec75346685ffd689d6e
202b5c0591e1ae09f9021e6aaf5e8a8b
31ae39a7abeea3901a681f847199ed88
33fdfbb1acdc226eb177eb42f3d22db4
3837a06039682ced414a9a7bec7de1ef
3c2c9c6ca906ea6c6d993efd0f2dc40e
494687795592106574edfcdcef27729e
5d77f2f59aade2d1656eb7506bd02cc9
79f8be1e5c050446927d4e4facff279c
7f1805ec0187ddb54a55eabe3e2396f5
8523262a411e4d8db2079ddac8424a98
8dcbed733f5abf9bc5a574de71a3ad53
95d3e26071506c6695a3760b97c91d75
984b336454282e7a0fb62d55edfb890a
a18a0457d0d4833add2dc6eac1b0b323
b4acfaeada60f41f6925628c824bb35e
cb302167c8458e395337771c81d5be62
da1108674eb3f77df2fee10d116cc685
e165cda25ef49c02ed94ab524fafa938
eb595fbcf24f94c329ac0e6ba63fe984
f0ae0c43aca3a474098bd5ca403c3fca
Domains and IPs
45.142.122[.]12
ricinus[.]ru
ricinus-ca[.]ru
ricinus-cb[.]ru
ricinus-cc[.]ru
ricinus[.]su
toxicodendron[.]ru
* Google Android
* Google Play
* Malware Descriptions
* Mobile Malware
* Spyware
* Targeted attacks
Authors
* Tatyana Shishkova
* Igor Golovin
Mandrake spyware sneaks onto Google Play again, flying under the radar for two
years
Your email address will not be published. Required fields are marked *
Name *
Email *
Cancel
Δ
1. Michael Lesanangi
Posted on August 6, 2024. 5:17 pm
Waiting to see how it works
Reply
1. Securelist
Posted on August 8, 2024. 12:57 pm
Hi Michael!
This is a full report, for the detailed description of Mandrake’s
methods, please see the “Infection chain” part
(https://securelist.com/mandrake-apps-return-to-google-play/113147/#infection-chain).
Reply
Table of Contents
* Introduction
* Technical details
* Background
* Applications
* Malware implant
* Infection chain
* Second-stage commands:
* Third stage commands:
* Data decryption methods
* Installing next-stage applications
* Sandbox evasion techniques and environment checks
* C2 communication
* Attribution
* Victims
* Conclusions
* Indicators of Compromise
GReAT webinars
13 May 2021, 1:00pm
GREAT IDEAS. BALALAIKA EDITION
* Boris Larin
* Denis Legezo
26 Feb 2021, 12:00pm
GREAT IDEAS. GREEN TEA EDITION
* John Hultquist
* Brian Bartholomew
* Suguru Ishimaru
* Vitaly Kamluk
* Seongsu Park
* Yusuke Niwa
* Motohiko Sato
17 Jun 2020, 1:00pm
GREAT IDEAS. POWERED BY SAS: MALWARE ATTRIBUTION AND NEXT-GEN IOT HONEYPOTS
* Marco Preuss
* Denis Legezo
* Costin Raiu
* Kurt Baumgartner
* Dan Demeter
* Yaroslav Shmelev
26 Aug 2020, 2:00pm
GREAT IDEAS. POWERED BY SAS: THREAT ACTORS ADVANCE ON NEW FRONTS
* Ivan Kwiatkowski
* Maher Yamout
* Noushin Shabab
* Pierre Delcher
* Félix Aime
* Giampaolo Dedola
* Santiago Pontiroli
22 Jul 2020, 2:00pm
GREAT IDEAS. POWERED BY SAS: THREAT HUNTING AND NEW TECHNIQUES
* Dmitry Bestuzhev
* Costin Raiu
* Pierre Delcher
* Brian Bartholomew
* Boris Larin
* Ariel Jungheit
* Fabio Assolini
From the same authors
EVIL TELEGRAM DOPPELGANGER ATTACKS CHINESE USERS
THE MOBILE MALWARE THREAT LANDSCAPE IN 2022
IT THREAT EVOLUTION IN Q3 2022. MOBILE STATISTICS
IT THREAT EVOLUTION IN Q2 2022. MOBILE STATISTICS
IT THREAT EVOLUTION IN Q1 2022. MOBILE STATISTICS
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
Email(Required)
(Required)
I agree to provide my email address to “AO Kaspersky Lab” to receive information
about new posts on the site. I understand that I can withdraw this consent at
any time via e-mail by clicking the “unsubscribe” link that I find at the bottom
of any e-mail sent to me for the purposes mentioned above.
Subscribe
Δ
In the same category
LIANSPY: NEW ANDROID SPYWARE TARGETING RUSSIAN USERS
SOUMNIBOT: THE NEW ANDROID BANKER’S UNIQUE TECHNIQUES
USING THE LOCKBIT BUILDER TO GENERATE TARGETED RANSOMWARE
DINODASRAT LINUX IMPLANT TARGETING ENTITIES WORLDWIDE
WHAT’S IN YOUR NOTEPAD? INFECTED TEXT EDITORS TARGET CHINESE USERS
LATEST POSTS
Malware descriptions
MANDRAKE SPYWARE SNEAKS ONTO GOOGLE PLAY AGAIN, FLYING UNDER THE RADAR FOR TWO
YEARS
* Tatyana Shishkova
* Igor Golovin
Spam and phishing
WHEN SPEAR PHISHING MET MASS PHISHING
* Roman Dedenok
SOC, TI and IR posts
DEVELOPING AND PRIORITIZING A DETECTION ENGINEERING BACKLOG BASED ON MITRE
ATT&CK
* Roman Nazarov
* Andrey Tamoykin
* Kaspersky Security Services
APT reports
CLOUDSORCERER – A NEW APT TARGETING RUSSIAN GOVERNMENT ENTITIES
* GReAT
LATEST WEBINARS
Trainings and workshops
09 Jul 2024, 4:00pm 60 min
BUILDING AND PRIORITIZING DETECTION ENGINEERING BACKLOGS WITH MITRE ATT&CK
* Andrey Tamoykin
Cyberthreat talks
08 May 2024, 5:00pm 60 min
ANALYZING LAST YEAR’S CYBER INCIDENT CASES
* Ayman Shaaban
Cyberthreat talks
19 Mar 2024, 5:00pm 60 min
INDUSTRIAL CYBERSECURITY IN 2024: TRENDS AND FORECASTS
* Evgeny Goncharov
Cyberthreat talks
24 Apr 2024, 5:00pm 60 min
MDR REPORT 2023: ANALYZING THE STATE OF THE GLOBAL THREAT LANDSCAPE
* Sergey Soldatov
REPORTS
CLOUDSORCERER – A NEW APT TARGETING RUSSIAN GOVERNMENT ENTITIES
Kaspersky discovered a new APT CloudSorcerer targeting Russian government
entities and using cloud services as C2, just like the CloudWizard actor.
APT TRENDS REPORT Q1 2024
The report features the most significant developments relating to APT groups in
Q1 2024, including the new malware campaigns DuneQuixote and Durian, and
hacktivist activity.
TODDYCAT IS MAKING HOLES IN YOUR INFRASTRUCTURE
We continue to report on the APT group ToddyCat. This time, we’ll talk about
traffic tunneling, constant access to a target infrastructure and data
extraction from hosts.
DUNEQUIXOTE CAMPAIGN TARGETS MIDDLE EASTERN ENTITIES WITH “CR4T” MALWARE
New unattributed DuneQuixote campaign targeting entities in the Middle East
employs droppers disguised as Total Commander installer and CR4T backdoor in C
and Go.
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
Email(Required)
(Required)
I agree to provide my email address to “AO Kaspersky Lab” to receive information
about new posts on the site. I understand that I can withdraw this consent at
any time via e-mail by clicking the “unsubscribe” link that I find at the bottom
of any e-mail sent to me for the purposes mentioned above.
Subscribe
Δ
Threats
Threats
* APT (Targeted attacks)
* Secure environment (IoT)
* Mobile threats
* Financial threats
* Spam and phishing
* Industrial threats
* Web threats
* Vulnerabilities and exploits
Categories
Categories
* APT reports
* Malware descriptions
* Security Bulletin
* Malware reports
* Spam and phishing reports
* Security technologies
* Research
* Publications
Other sections
* Archive
* All tags
* Webinars
* APT Logbook
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2023
© 2024 AO Kaspersky Lab. All Rights Reserved.
Registered trademarks and service marks are the property of their respective
owners.
* Privacy Policy
* License Agreement
* Cookies
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
Email(Required)
(Required)
I agree to provide my email address to “AO Kaspersky Lab” to receive information
about new posts on the site. I understand that I can withdraw this consent at
any time via e-mail by clicking the “unsubscribe” link that I find at the bottom
of any e-mail sent to me for the purposes mentioned above.
Subscribe
Δ
Notifications