S0485: Mandrake
Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.
Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]
Analyst context for executives and security teams
Mandrake is an Android espionage malware family described by ATT&CK as sophisticated, actively maintained, and able to remain dormant until operators issue commands. Its business significance is mobile trust: apparently legitimate apps can become an access path to sensitive communications, credentials, location, contacts, SMS, notifications, screenshots, and application data. For leaders, the key question is whether enterprise mobile controls can see beyond app reputation and installation status into permissions, runtime behavior, network patterns, and high-risk Android capabilities.
Executive priority
Prioritize Mandrake as a mobile espionage and data-exposure planning case, especially for executives, privileged users, regulated functions, and staff using Android devices for business communication or identity verification. The supplied ATT&CK relationships point to behaviors that can affect identity assurance, privacy obligations, incident scoping, and continuity of trusted communications: notification access, SMS control and collection, GUI/input capture, location tracking, foreground persistence, tool transfer, and command-and-control over web services, non-standard ports, or generated domains. Executives should ask whether mobile device management, app governance, and SOC workflows provide auditable evidence for installed apps, permissions, risky accessibility/device-admin use, and mobile network activity.
Technical view
ATT&CK provides no official detection text for Mandrake, so defenders should validate coverage through the related Android techniques. Focus on whether mobile telemetry can identify suspicious permission combinations and behavior such as downloaded code at runtime, obfuscated payloads, system and software discovery, access to stored app data, contacts, SMS, notifications, screen capture, location, accessibility-driven input injection, foreground service abuse, suppressed app icons, prevention of app removal, attempts to disable tools, file deletion, code-signing policy changes, sandbox/system checks, and C2-like communication using web services, non-standard ports, or DGA-style domains. Because the description says activation may depend on operator commands, static app review alone is an expected blind spot; behavioral monitoring and incident-ready device collection procedures are important.
Likely telemetry
- Android device inventory and OS/version/patch posture from MDM or EMM
- Installed application inventory, package metadata, signing status, app source, and application icon visibility where available
- App permission grants and changes, especially SMS, contacts, location, notification access, accessibility services, device administrator, foreground service, and screen capture-related capabilities
- Runtime behavior indicating dynamic code download, new file/tool transfer, obfuscated or encrypted payloads, or unusual file deletion
- Network telemetry for mobile devices, including DNS queries, generated-looking domains, web-service communication, unusual protocol/port pairings, and outbound connections from mobile apps
Detection direction
- Do not rely solely on app-store presence, reviews, or static pre-install scanning; the supplied description and T1407 relationship support concern for code downloaded after installation and command-triggered activation.
- Tune mobile detections around clusters of behavior rather than one permission: for example, accessibility or device-admin use combined with SMS/notification access, foreground persistence, screen capture, or prevention of removal is higher risk than an isolated permission grant.
- Validate DNS and web traffic analytics for mobile endpoints, including web-service C2 patterns, non-standard port use, and domain-generation-like behavior, while accounting for legitimate mobile app background traffic.
- Review whether MDM/EMM tools expose enough evidence to investigate suppressed app icons, device-admin abuse, app removal prevention, security-tool tampering, and runtime code download; many mobile programs lack this depth.
- Use allowlisting and exception review carefully: legitimate business apps may request contacts, location, notifications, or foreground services, so detections should include app reputation, business justification, user role, and behavior over time.
Mitigation priorities
- Start with mobile asset governance: identify Android devices used for sensitive business roles and ensure they are enrolled in managed controls where policy permits.
- Restrict or review high-risk Android permissions and capabilities, especially accessibility services, device administrator, SMS, notification access, contacts, location, screen capture, and installation from untrusted sources.
- Strengthen application governance with approved app lists, signing/source checks, and review of applications that download code at runtime or request permissions unrelated to business purpose.
- Ensure mobile network protections can inspect or log relevant DNS and outbound connection metadata for managed devices, including non-standard ports and suspicious domain patterns.
- Prepare incident response procedures for mobile devices, including how to preserve app inventory, permissions, network context, and user reports of uninstall problems or unusual prompts.
Analyst notes and limits
The ATT&CK object identifies Mandrake as Android malware and links it to a broad set of mobile techniques spanning evasion, discovery, collection, command and control, persistence, defense evasion, and impact-like file deletion behavior. The strongest defensive value is using Mandrake as a test case for whether the organization can detect suspicious mobile behavior after installation, not merely block known bad apps.
This take is based only on the supplied ATT&CK object, external references, and relationship context. ATT&CK provides no official detection text, no tactics in the supplied fields, no aliases beyond the listed external-reference names, and no environment-specific indicators. The content should not be read as proof of current exploitation, attribution, customer exposure, or guaranteed detection coverage.
Mandrake
Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.
Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Mandrake can mimic an app called “Storage Settings” if it cannot hide its icon.CitationBitdefender Mandrake |
| Mobile | T1636.003 | Contact List Sub-technique | Mandrake can access the device’s contact list.CitationBitdefender Mandrake |
| Mobile | T1633.001 | System Checks Sub-technique | Mandrake can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.CitationBitdefender Mandrake |
| Mobile | T1517 | Access Notifications | Mandrake can capture all device notifications and hide notifications from the user.CitationBitdefender Mandrake |
| Mobile | T1541 | Foreground Persistence | Mandrake uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.CitationBitdefender Mandrake |
| Mobile | T1409 | Stored Application Data | Mandrake can collect all accounts stored on the device.CitationBitdefender Mandrake |
| Mobile | T1509 | Non-Standard Port | Mandrake has communicated with the C2 server over TCP port 7777.CitationBitdefender Mandrake |
| Mobile | T1582 | SMS Control | Mandrake can block, forward, hide, and send SMS messages.CitationBitdefender Mandrake |
| Mobile | T1513 | Screen Capture | Mandrake can record the screen.CitationBitdefender Mandrake |
| Mobile | T1629.003 | Disable or Modify Tools Sub-technique | Mandrake can disable Play Protect.CitationBitdefender Mandrake |
| Mobile | T1406 | Obfuscated Files or Information | Mandrake obfuscates its hardcoded C2 URLs.CitationBitdefender Mandrake |
| Mobile | T1629.001 | Prevent Application Removal Sub-technique | Mandrake can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.CitationBitdefender Mandrake |
| Mobile | T1481.002 | Bidirectional Communication Sub-technique | Mandrake has used Firebase for C2.CitationBitdefender Mandrake |
| Mobile | T1516 | Input Injection | Mandrake abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.CitationBitdefender Mandrake |
| Mobile | T1430 | Location Tracking | Mandrake can collect the device’s location.CitationBitdefender Mandrake |
| Mobile | T1418 | Software Discovery | Mandrake can obtain a list of installed applications.CitationBitdefender Mandrake |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | Mandrake can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.CitationBitdefender Mandrake |
| Mobile | T1632.001 | Code Signing Policy Modification Sub-technique | Mandrake can enable app installation from unknown sources.CitationBitdefender Mandrake |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | Mandrake can hide its icon on older Android versions.CitationBitdefender Mandrake |
| Mobile | T1407 | Download New Code at Runtime | Mandrake can download its second (Loader) and third (Core) stages after the dropper is installed.CitationBitdefender Mandrake |
| Mobile | T1637.001 | Domain Generation Algorithms Sub-technique | Mandrake has used domain generation algorithms.CitationBitdefender Mandrake |
| Mobile | T1630.002 | File Deletion Sub-technique | Mandrake can delete all data from an infected device.CitationBitdefender Mandrake |
| Mobile | T1426 | System Information Discovery | Mandrake can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.CitationBitdefender Mandrake |
| Mobile | T1544 | Ingress Tool Transfer | Mandrake can install attacker-specified components or applications.CitationBitdefender Mandrake |
| Mobile | T1636.004 | SMS Messages Sub-technique | Mandrake can access SMS messages.CitationBitdefender Mandrake |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3d04d93f433b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bitdefender Mandrake
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
Open source URL -
[2]
briar
(Citation: Bitdefender Mandrake)
-
[3]
darkmatter
(Citation: Bitdefender Mandrake)
-
[4]
mitre-attack S0485Open source URL
-
[5]
oxide
(Citation: Bitdefender Mandrake)
-
[6]
ricinus
(Citation: Bitdefender Mandrake)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.