Sophisticated RedDrop Malware Targets Android Phones

android malware

A new strain of mobile malware found on an array of apps can pull out sensitive data – including audio recordings – from Android phones.

A sophisticated strain of mobile malware targeting Android devices can extract sensitive data and audio recordings, run up premium SMS charges and then tries to extort money from victims.

According to security firm Wandera the malware, dubbed RedDrop, is being distributed inside 53 Android applications promoted on third-party app stores. Apps range from image editors, calculators, language learning tools and adult themed apps. According to Wandera, the criminals had targeted victims working at several“Big Four” consultancy firms.

“RedDrop is one of the most sophisticated pieces of Android malware that we have seen in broad distribution,” said Wandera in an overview of its research published Wednesday. “Not only does the attacker utilize a wide range of functioning malicious applications to entice the victim, they’ve also perfected every tiny detail to ensure their actions are difficult to trace.”

Wandera told Threatpost it’s unsure how many Android devices may be infected with the malware. “One thing we have noticed is that the pace of attempted infections appears to be accelerating,” Wandera said. Since the company initially identified the malware, the company has blocked roughly 20 further requests by infected apps to reach the criminal’s distribution network – where additional malware would be downloaded from.

The apps are being promoted via ads displayed on the popular Chinese search engine Baidu. Researchers said those who click on the ads are “taken to huxiawang[.]cn, the primary distribution site for the attack. The landing pages that follow host various content to encourage and incite the user to download one of the 53 apps within the RedDrop family of malicious apps.”

Once the RedDrop-infected apps are installed the program silently downloads an additional seven Android application packages (APK) that add additional spyware and malicious components such as trojans, premium SMS functionality and additional dropper software.

“When the user interacts with the app, each interaction secretly triggers the sending of an SMS to a premium service, which is then instantly deleted before it can be detected,” the company said.

The rogue apps are capable of  harvesting sensitive data, including passively recording audio of the device’s surroundings, accessing photos, contacts, and extracting locally saved files.

Data siphoned off phones are uploaded to the attacker’s Dropbox account to be used in conjunction with further attacks and for possible extortion purposes.

“Apps within the RedDrop family request invasive permissions enabling the attack to be conducted without requesting further interaction from the user,” according to Wandera. “One of the more destructive permissions allows the malware to be persistent between reboots. Granting it the ability to constantly communicate with command and control (C2) servers, permitting the covert activation of its malicious functionality.”

“RedDrop malware was first unearthed at a ‘Big Four’ accounting firm back in January, when Wandera detected unusual network traffic from an employee’s device to a series of redirected suspicious URLs,” Wandera said. “Further investigation revealed an APK file being hosted on these domains, and from there more information about the wider threat was uncovered.”

After its installation, the malware infected app downloads the additional APKs and JAR files from the attacker’s C2 servers, storing them on the device’s memory. This is a technique that “allows the attacker to stealthily execute additional malicious APKs without having to embed them straight into the initial sample. This can be seen from both the network communication and the device logs,” said Wandera.

In order to trick security filters, the group behind RedDrop also used a pool of over 4,000 domains to distribute the malicious apps so that users are redirected multiple times, according to Wandera.

“It’s likely that RedDrop will continue to be employed by attackers even after these apps are flagged as malicious,” the company said. “As was seen in the case of SLocker last year, attackers are smart in creating variants of known malware in an attempt to bypass traditional security measures. We expect the same to be true of RedDrop in the coming months.”

Suggested articles


  • namely on

    never install android crap, ya cant trust the google app store/play. ya defo cant trust 3rd party apps. is it worth the risk.
    • dev on

      The same can be said for any software you download for any device through any avenue. The question is often not if you are getting it from an app store or not, but how trustworthy the vender is that produced it. For example, if you download an app for your bank straight from their website, it is generally safer than using an App store where there may be 5 apps that appear to be for your bank, but 4 of them are spyware. Inversely, getting an app strait from a random third party is riskier because that software is not subject to any security audit. Also, mobile devices (across all brands) have been the big target in recent years; so, it is generally best to operate your phone with the minimum number of apps you really need, and take the time to confirm the identity & repute of the organizations distributing them.
  • christylatham on

    Always use google play store for downloading apps because from there you can get reliable and trust-able application dont use other platform for downloading because its harmful and get harm your android device and memory, so do always best and get best. !!!
  • Didier on

    What if you DID use the app store and still got one? Now the question is - how to get rid of it?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.