A sophisticated strain of mobile malware targeting Android devices can extract sensitive data and audio recordings, run up premium SMS charges and then tries to extort money from victims.
According to security firm Wandera the malware, dubbed RedDrop, is being distributed inside 53 Android applications promoted on third-party app stores. Apps range from image editors, calculators, language learning tools and adult themed apps. According to Wandera, the criminals had targeted victims working at several“Big Four” consultancy firms.
“RedDrop is one of the most sophisticated pieces of Android malware that we have seen in broad distribution,” said Wandera in an overview of its research published Wednesday. “Not only does the attacker utilize a wide range of functioning malicious applications to entice the victim, they’ve also perfected every tiny detail to ensure their actions are difficult to trace.”
Wandera told Threatpost it’s unsure how many Android devices may be infected with the malware. “One thing we have noticed is that the pace of attempted infections appears to be accelerating,” Wandera said. Since the company initially identified the malware, the company has blocked roughly 20 further requests by infected apps to reach the criminal’s distribution network – where additional malware would be downloaded from.
The apps are being promoted via ads displayed on the popular Chinese search engine Baidu. Researchers said those who click on the ads are “taken to huxiawang[.]cn, the primary distribution site for the attack. The landing pages that follow host various content to encourage and incite the user to download one of the 53 apps within the RedDrop family of malicious apps.”
Once the RedDrop-infected apps are installed the program silently downloads an additional seven Android application packages (APK) that add additional spyware and malicious components such as trojans, premium SMS functionality and additional dropper software.
“When the user interacts with the app, each interaction secretly triggers the sending of an SMS to a premium service, which is then instantly deleted before it can be detected,” the company said.
The rogue apps are capable of harvesting sensitive data, including passively recording audio of the device’s surroundings, accessing photos, contacts, and extracting locally saved files.
Data siphoned off phones are uploaded to the attacker’s Dropbox account to be used in conjunction with further attacks and for possible extortion purposes.
“Apps within the RedDrop family request invasive permissions enabling the attack to be conducted without requesting further interaction from the user,” according to Wandera. “One of the more destructive permissions allows the malware to be persistent between reboots. Granting it the ability to constantly communicate with command and control (C2) servers, permitting the covert activation of its malicious functionality.”
“RedDrop malware was first unearthed at a ‘Big Four’ accounting firm back in January, when Wandera detected unusual network traffic from an employee’s device to a series of redirected suspicious URLs,” Wandera said. “Further investigation revealed an APK file being hosted on these domains, and from there more information about the wider threat was uncovered.”
After its installation, the malware infected app downloads the additional APKs and JAR files from the attacker’s C2 servers, storing them on the device’s memory. This is a technique that “allows the attacker to stealthily execute additional malicious APKs without having to embed them straight into the initial sample. This can be seen from both the network communication and the device logs,” said Wandera.
In order to trick security filters, the group behind RedDrop also used a pool of over 4,000 domains to distribute the malicious apps so that users are redirected multiple times, according to Wandera.
“It’s likely that RedDrop will continue to be employed by attackers even after these apps are flagged as malicious,” the company said. “As was seen in the case of SLocker last year, attackers are smart in creating variants of known malware in an attempt to bypass traditional security measures. We expect the same to be true of RedDrop in the coming months.”