Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

New Android Malware Family Highlights Evolving Mobile Threat Capabilities

RedDrop can steal data, record audio, and rack up SMS charges for victims, says Wandera.

RedDrop, a new family of malicious software found lurking in dozens of seemingly benign Android applications, is the latest indication of the increasingly dangerous capabilities that threat actors have begun integrating into modern mobile malware.

Security vendor Wandera recently discovered RedDrop hidden in 53 working Android applications, such as image editors, calculators, language learning apps, space exploration apps, and other educational, recreational, and practical tools. Each application functions as the user would expect, while executing malicious actions in the background.

Once an infected app is installed on an Android device, it downloads at least seven more Android Application Packages (APKs), each with its own malicious functionality and from a different command and control server. The APKs are stored in the system's memory, giving attackers a way to execute them without having to embed the functionality in the original malware sample, Wandera said.

Data the malware is capable of stealing includes all locally saved files, including photos, contacts, and images; live recordings of the device's surroundings; device and subscriber identifiers; application data; and SIM data.

When users interact with a RedDrop-infected app, it also secretly sends a cost-incurring SMS message to a premium service and then instantly deletes the message to avoid detection by the user. All data stolen from infected systems is uploaded to remote file storage systems controlled by the attackers for potential use in future extortion schemes or to launch further attacks, according to Wandera.

RedDrop apps are being distributed from a network of over 4,000 domains, all registered to a single group that looks like it might be operating out of China. Eldar Tuvey, Wandera's co-founder and CEO, says that several infection vectors are being used to distribute the RedDrop family of malware.

The one with the broadest reach is through Chinese search giant Baidu.com, but users could also visit Sky-mobi, which happens to run one of the largest Android app stores in the world, he says. "We also believe advertising networks are being exploited by criminals in order to entice users towards the downloads."

As with most Android malware tools — and indeed most mobile malware — RedDrop poses a threat mainly to users who voluntarily download apps from third-party sources and websites, something that security researchers have long warned against. People who download their apps only from Google's official Play store or from properly vetted enterprise app stores are safe from the threat for the moment. Also for the moment, RedDrop appears to be primarily aiming at Android users in China, though many of the infected apps also target European and American users.

But underestimating mobile threats like RedDrop for such reasons might be a mistake. "Our data shows that around 20.6% of Android users have their configurations set to allow third-party installations," Tuvey says. Despite warnings, many users are still willing to take the risks that come with installations through unofficial app stores, he says.

"In order to protect themselves from these types of threats, individuals and organizations with vulnerable devices should disable downloads from third-party app stores, unless absolutely necessary for business functionality," Tuvey says.

Criminals have also begun ramping up threat activity targeted at mobile devices. In a report earlier this week, Trend Micro noted a sharp increase in the volume of mobile ransomware, banking Trojans, and other malware over the past year. Many of the threats are directed at Android devices, though Apple's iOS is not immune either, according to Trend Micro.  

Ominously, threat actors have become increasingly better at uploading malware-laden apps to Google's Play store, according to the Trend Micro report. As a result, users downloading their apps from there cannot be absolutely certain about their security either. Unsurprisingly, given the rapidly evolving threat landscape, four out of 10 enterprises see mobile devices posing a significant risk to their security.

"Android has an above-average amount of known security vulnerabilities, and hackers know this," says Paul Bischoff, privacy advocate at Comparitech. Organizations that provide Android devices for work should consider setting up a guest account on each device, he says. "Guest accounts in Android cannot install apps from third-party sources due to a lower level of privileges. The main admin account should be password-protected."

If employees are allowed to use their own Android devices, clear guidelines need to be laid out about what work-related activities are allowed on their phones and what security measures need to be in place, Bischoff says. Security administrators need to instruct employees not to change the "allow apps from unknown sources" setting on any personal phones used for work.

Organizations should also update their Android devices to Android Oreo, the latest version of the operating system, Tuvey says. Oreo includes controls that make it easier for users to detect and block apps with invasive permissions. Unfortunately, almost half of all installed Android devices are running versions of the operating system that predate the previous Marshmallow version and can be easily bypassed by RedDrop, Bischoff says.

Related content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.