RedDrop malware runs up big bills on Android smartphones and spies on users

News by Rene Millman

Researchers warn that malware could be used to blackmail users. New malware has been discovered that could eavesdrop on Android smartphone users and run up huge bills.

New malware has been discovered that could eavesdrop on Android smartphone users and run up huge bills.

Dubbed RedDrop by security researchers at Wandera, the malware, once fully installed, will extract a devastating amount of personal data, including live recordings of the infected device's surroundings, files, photos, contacts, device intelligence, application data and Wifi information. The malware also makes the victim unwittingly submit expensive SMS messages to a premium service. The exfiltrated data is then transmitted to the attacker's personal Dropbox or Google Drive folder - without arousing any suspicion.

Wandera first discovered the malware when an employee from a US-based "Big Four" consulting firm used their mobile web browser to click on a link displayed on Chinese search engine Baidu - the fourth most visited site in the world. The user was then directed to a site displaying adult content, which was detected as suspicious by Wandera's security engine MI:RIAM and subsequently blocked. 

Upon further investigation, Wandera discovered over 53 seemingly innocent looking apps that front-end the malware, as well as an intricate distribution network of over 3,000 registered to the same group, used to maximise reach to end-user devices. 

Researchers said that the malware is one of the most sophisticated pieces of Android malware that they have seen in broad distribution and with such an extensive network of supporting infrastructure. 

This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we've seen,” said Dr Michael Covington, VP of product strategy at Wandera.

Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team, told SC Media UK that there is nothing new about this malware. 

“This looks more like a very amateur trial run of Android malware rather than “one of the most sophisticated pieces of Android malware” as claimed by the researhers. Based on their report, this malware is not exploiting any vulnerabilities but instead relies on users installing a malicious application which requests many permissions.  While it may not be common for Android malware to record and upload calls, I suspect this is because it provides minimal value outside of targeted attacks and potentially makes the malware more apparent by draining victim's battery quickly,” he said.

He added that Android users do not need to do anything more than normal to guard against this threat.  

“Default settings on all supported releases of Android should be pretty well protected against by installing only from trusted sources and leaving Google Play Protect enabled.  It is also of course important to be mindful about what permissions are requested by apps.  With Android 6 (released 2015), apps will request permissions at runtime which should make it abundantly obvious when a malicious app wants to do something like sending SMS or recording audio. Users of older Android releases must rely instead on reviewing the requested permissions at install time to confirm that they are appropriate for the app,” he said.

Andy Norton, director of threat intelligence at Lastline, told SC Media UK that unauthorised access via Mobile phone espionage is on the up.

“This particular threat went after a largely Asian target. However, the use of an infected personal device, that has access to internal coporate networks and has the ability to exfiltrate data over 4G should not underestimated as a future attack strategy by various threat actors,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews