Sophisticated Android malware spies on smartphones users and runs up their phone bill too

RedDrop malware steals data from the device, including live recordings of calls and surroundings, as well as files, photos, messages, contacts and more - all while charging the user.
Written by Danny Palmer, Senior Writer

A newly uncovered form of Android malware secretly steals sensitive data from infected devices - including full audio recordings of phone calls - and stores it in cloud storage accounts.

An invasive form of spyware, RedDrop harvests information from the device, including live recordings of its surroundings, user data including files, photos, contacts, notes, device data and information about saved Wi-Fi networks and nearby hotspots.

Described by the cybersecurity researchers at security company Wandera who uncovered it as "one of the most sophisticated pieces of Android malware" not only do those behind RedDrop use a wide variety of differing lures to infect victims, they've also gone out of their way to ensure that users are completely unaware that their phone is infected.

That is at least until they receive a high phone bill, due to the malware secretly sending SMS messages to a premium rate service in addition to its spyware activities. In one example studied, a message was sent to a premium rate service every time the victim interacted with the malicious app, while all evidence of messages being sent is hidden from the user.

A total of 53 apps are used to distribute the malware, with malicious lures disguised as a range of tools including calculators, image editors, language learning aids, adult content and more.

The first time the malware was seen, it was being distributed via a Chinese language adult content app called CuteActress, but others target those speaking English and other languages. "This is very much a global operation," Joel Windels,VP at Wandera told ZDNet.

A selection of other apps known to be distributing RedDrop include Space Game Free', 'Video Blocker', 'Cosmos FM', 'Plus Italy', 'Paint It' 'Hot Tone' and 'Ninja Slice'. None of the apps are from the official Google Play Store, but rather third-party outlets.

But rather than directing the user to the malicious download in one quick move, researchers found that the attackers use an intricate network over of 3,000 domains which link back and forth to one another in an effort to circumvent and prevent detection techniques and increase the chances of malware successfully being installed on a device via obfuscation.

See also: Cyberwar: A guide to the frightening future of online conflict

The initial download is merely a dropper, which when opened and run, will connect to a command and control server in order to download additional components. The benefit for the attackers in doing this is on its initial install, the app looks clean, therefore allowing it to follow-up by downloading additional malicious payloads.

In this instance, the additional downloads with three key functions - spyware that harvests data and records surroundings, a data exfiltration command which allows information to be taken and stored on Dropbox or Google Drive, and the ability to carry out SMS fraud.

Such is the extent to which the attackers can steal information from the device, researchers found that a call they made with a network provider was live recorded and then uploaded to the cloud storage folder controlled by the malware makers.

Wandera describes the main purpose of RedDrop as to "ruthlessly extract data from the victim" with up to eight different files downloaded in tandem to secretly steal data and send premium text messages. The combination of actions could be extremely destructive, both to the user's privacy and their bank balance.

"This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is the one of the more persistent malware variants we've seen recently" said Dr Michael Covington, VP of Product Strategy at Wandera.

It's currently unknown who exactly the attack group behind RedDrop is, but their interest in stealing data and recording audio from devices suggests they have an interest in espionage, with enough manpower to develop a wide variety of applications and maintain sophisticated malware.

"The group responsible for RedDrop have invested a lot of resource in creating this malware and therefore would require a significant payoff to make it worthwhile," said Windels.

"It is difficult to estimate the prevalence of this threat, but it is highly likely that RedDrop resides on a handful of devices at most large organizations," he added.


Editorial standards