Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

New Android Malware Family Highlights Evolving Mobile Threat Capabilities

RedDrop can steal data, record audio, and rack up SMS charges for victims, says Wandera.

RedDrop, a new family of malicious software found lurking in dozens of seemingly benign Android applications, is the latest indication of the increasingly dangerous capabilities that threat actors have begun integrating into modern mobile malware.

Security vendor Wandera recently discovered RedDrop hidden in 53 working Android applications, such as image editors, calculators, language learning apps, space exploration apps, and other educational, recreational, and practical tools. Each application functions as the user would expect, while executing malicious actions in the background.

Once an infected app is installed on an Android device, it downloads at least seven more Android Application Packages (APKs), each with its own malicious functionality and from a different command and control server. The APKs are stored in the system's memory, giving attackers a way to execute them without having to embed the functionality in the original malware sample, Wandera said.

Data the malware is capable of stealing includes all locally saved files, including photos, contacts, and images; live recordings of the device's surroundings; device and subscriber identifiers; application data; and SIM data.

When users interact with a RedDrop-infected app, it also secretly sends a cost-incurring SMS message to a premium service and then instantly deletes the message to avoid detection by the user. All data stolen from infected systems is uploaded to remote file storage systems controlled by the attackers for potential use in future extortion schemes or to launch further attacks, according to Wandera.

RedDrop apps are being distributed from a network of over 4,000 domains, all registered to a single group that looks like it might be operating out of China. Eldar Tuvey, Wandera's co-founder and CEO, says that several infection vectors are being used to distribute the RedDrop family of malware.

The one with the broadest reach is through Chinese search giant Baidu.com, but users could also visit Sky-mobi, which happens to run one of the largest Android app stores in the world, he says. "We also believe advertising networks are being exploited by criminals in order to entice users towards the downloads."

As with most Android malware tools — and indeed most mobile malware — RedDrop poses a threat mainly to users who voluntarily download apps from third-party sources and websites, something that security researchers have long warned against. People who download their apps only from Google's official Play store or from properly vetted enterprise app stores are safe from the threat for the moment. Also for the moment, RedDrop appears to be primarily aiming at Android users in China, though many of the infected apps also target European and American users.

But underestimating mobile threats like RedDrop for such reasons might be a mistake. "Our data shows that around 20.6% of Android users have their configurations set to allow third-party installations," Tuvey says. Despite warnings, many users are still willing to take the risks that come with installations through unofficial app stores, he says.

"In order to protect themselves from these types of threats, individuals and organizations with vulnerable devices should disable downloads from third-party app stores, unless absolutely necessary for business functionality," Tuvey says.

Criminals have also begun ramping up threat activity targeted at mobile devices. In a report earlier this week, Trend Micro noted a sharp increase in the volume of mobile ransomware, banking Trojans, and other malware over the past year. Many of the threats are directed at Android devices, though Apple's iOS is not immune either, according to Trend Micro.  

Ominously, threat actors have become increasingly better at uploading malware-laden apps to Google's Play store, according to the Trend Micro report. As a result, users downloading their apps from there cannot be absolutely certain about their security either. Unsurprisingly, given the rapidly evolving threat landscape, four out of 10 enterprises see mobile devices posing a significant risk to their security.

"Android has an above-average amount of known security vulnerabilities, and hackers know this," says Paul Bischoff, privacy advocate at Comparitech. Organizations that provide Android devices for work should consider setting up a guest account on each device, he says. "Guest accounts in Android cannot install apps from third-party sources due to a lower level of privileges. The main admin account should be password-protected."

If employees are allowed to use their own Android devices, clear guidelines need to be laid out about what work-related activities are allowed on their phones and what security measures need to be in place, Bischoff says. Security administrators need to instruct employees not to change the "allow apps from unknown sources" setting on any personal phones used for work.

Organizations should also update their Android devices to Android Oreo, the latest version of the operating system, Tuvey says. Oreo includes controls that make it easier for users to detect and block apps with invasive permissions. Unfortunately, almost half of all installed Android devices are running versions of the operating system that predate the previous Marshmallow version and can be easily bypassed by RedDrop, Bischoff says.

Related content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.