Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)

Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.

Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	1
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	1
SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	1
Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	Foreground Persistence - T1541 (648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e)	Attack Pattern	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	Suppress Application Icon - T1628.001 (f05fc151-aa62-47e3-ae57-2d1b23d64bf6)	Attack Pattern	1
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	Domain Generation Algorithms - T1637.001 (fd211238-f767-4599-8c0d-9dca36624626)	Attack Pattern	1
Input Injection - T1516 (d1f1337e-aea7-454c-86bd-482a98ffaf62)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	Code Signing Policy Modification - T1632.001 (fcb11f06-ce0e-490b-bcc1-04a1623579f0)	Attack Pattern	1
Non-Standard Port - T1509 (948a447c-d783-4ba0-8516-a64140fcacd5)	Attack Pattern	Mandrake - S0485 (52c994fa-b6c8-45a8-9586-a4275cf19307)	Malware	1
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	File Deletion - T1630.002 (ab7400b7-3476-4776-9545-ef3fa373de63)	Attack Pattern	2
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	Disable or Modify Tools - T1629.003 (2aa78dfd-cb6f-4c70-9408-137cfd96be49)	Attack Pattern	2
Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee)	Attack Pattern	Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	2
Virtualization/Sandbox Evasion - T1633 (27d18e87-8f32-4be1-b456-39b90454360f)	Attack Pattern	System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	2
Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	Suppress Application Icon - T1628.001 (f05fc151-aa62-47e3-ae57-2d1b23d64bf6)	Attack Pattern	2
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	2
Dynamic Resolution - T1637 (2ccc3d39-9598-4d32-9657-42e1c7095d26)	Attack Pattern	Domain Generation Algorithms - T1637.001 (fd211238-f767-4599-8c0d-9dca36624626)	Attack Pattern	2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2
Subvert Trust Controls - T1632 (79cb02f4-ac4e-4335-8b51-425c9573cce1)	Attack Pattern	Code Signing Policy Modification - T1632.001 (fcb11f06-ce0e-490b-bcc1-04a1623579f0)	Attack Pattern	2