New Android Malware Family Highlights Evolving Mobile Threat Capabilities

RedDrop can steal data, record audio, and rack up SMS charges for victims, says Wandera.

RedDrop, a new family of malicious software found lurking in dozens of seemingly benign Android applications, is the latest indication of the increasingly dangerous capabilities that threat actors have begun integrating into modern mobile malware.
Security vendor
Wandera
recently discovered RedDrop hidden in 53 working Android applications, such as image editors, calculators, language learning apps, space exploration apps, and other educational, recreational, and practical tools. Each application functions as the user would expect, while executing malicious actions in the background.
Once an infected app is installed on an Android device, it downloads at least seven more Android Application Packages (APKs), each with its own malicious functionality and from a different command and control server. The APKs are stored in the systems memory, giving attackers a way to execute them without having to embed the functionality in the original malware sample, Wandera said.
Data the malware is capable of stealing includes all locally saved files, including photos, contacts, and images; live recordings of the devices surroundings; device and subscriber identifiers; application data; and SIM data.
When users interact with a RedDrop-infected app, it also secretly sends a cost-incurring SMS message to a premium service and then instantly deletes the message to avoid detection by the user. All data stolen from infected systems is uploaded to remote file storage systems controlled by the attackers for potential use in future extortion schemes or to launch further attacks, according to Wandera.
RedDrop apps are being distributed from a network of over 4,000 domains, all registered to a single group that looks like it might be operating out of China. Eldar Tuvey, Wanderas co-founder and CEO, says that several infection vectors are being used to distribute the RedDrop family of malware.
The one with the broadest reach is through Chinese search giant Baidu.com, but users could also visit Sky-mobi, which happens to run one of the largest Android app stores in the world, he says. We also believe advertising networks are being exploited by criminals in order to entice users towards the downloads.
As with most Android malware tools — and indeed most mobile malware — RedDrop poses a threat mainly to users who voluntarily download apps from third-party sources and websites, something that security researchers have long warned against. People who download their apps only from Googles official Play store or from properly vetted enterprise app stores are safe from the threat for the moment. Also for the moment, RedDrop appears to be primarily aiming at Android users in China, though many of the infected apps also target European and American users.
But underestimating mobile threats like RedDrop for such reasons might be a mistake. Our data shows that around 20.6% of Android users have their configurations set to allow third-party installations, Tuvey says. Despite warnings, many users are still willing to take the risks that come with installations through unofficial app stores, he says.
In order to protect themselves from these types of threats, individuals and organizations with vulnerable devices should disable downloads from third-party app stores, unless absolutely necessary for business functionality, Tuvey says.
Criminals have also begun ramping up threat activity targeted at mobile devices. In a
report
earlier this week, Trend Micro noted a sharp increase in the volume of mobile ransomware, banking Trojans, and other malware over the past year. Many of the threats are directed at Android devices, though Apples iOS is not immune either, according to Trend Micro.
Ominously, threat actors have become increasingly better at uploading malware-laden apps to Googles Play store, according to the Trend Micro report. As a result, users downloading their apps from there cannot be absolutely certain about their security either. Unsurprisingly, given the rapidly evolving threat landscape, four out of 10 enterprises see mobile devices posing a
significant risk
to their security.
Android has an above-average amount of known security vulnerabilities, and hackers know this, says Paul Bischoff, privacy advocate at Comparitech. Organizations that provide Android devices for work should consider setting up a guest account on each device, he says. Guest accounts in Android cannot install apps from third-party sources due to a lower level of privileges. The main admin account should be password-protected.
If employees are allowed to use their own Android devices, clear guidelines need to be laid out about what work-related activities are allowed on their phones and what security measures need to be in place, Bischoff says. Security administrators need to instruct employees not to change the allow apps from unknown sources setting on any personal phones used for work.
Organizations should also update their Android devices to Android Oreo, the latest version of the operating system, Tuvey says. Oreo includes controls that make it easier for users to detect and block apps with invasive permissions. Unfortunately, almost half of all installed Android devices are running versions of the operating system that predate the previous Marshmallow version and can be easily bypassed by RedDrop, Bischoff says.
Related content:
Threats from Mobile Ransomware & Banking Malware Are Growing
The Mobile Threat: 4 out of 10 Businesses Report Significant Risk
Can Android for Work Redefine Enterprise Mobile Security?
Key New Security Features in Android Oreo

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Android Malware Family Highlights Evolving Mobile Threat Capabilities