RedDrop, a new kind of mobile malware family built for Androids, is specifically intended for blackmail purposes. Researchers at the U.K. security firm Wandera say that RedDrop targets user’s personal data, from the apps you’ve installed to your nearest WiFi networks. It hacks into your contacts and photos, and most worryingly, has the ability to hijack your phone’s microphone.
The zero-day threat was previously unknown within the mobile security company, and first came to light at various global consultancy firms when Wandera’s machine intelligence machine (MI:RIAM) blocked a download of a suspicious-looking app. The company discovered at least 50 functioning apps that contain the RedDrop malware.
Wandera said, “The 53 malware-ridden apps are exfiltrating sensitive data – including ambient audio recordings – and dumping it in the attackers’ Dropbox accounts to prepare for further attacks and extortion purposes”.
Once the app is downloaded, at least seven additional APKs are also silently downloaded, unlocking malicious functionality. These include spyware-like components, including passively recording the device’s audio and infiltrating its photos, contacts, files and more. Each interaction the user has with the app secretly triggers the sending of an SMS to a premium service, which is instantly deleted before detection. RedDrop then exfiltrates the data, uploading it into remote file storage systems for future use in extortion or blackmail.
The type of information pulled from the device is potentially destructive both on a personal and a professional level, if the device is used for work.
“Once the threat actor is able to extract PII from the device, the victim is open to identity fraud, compromised credentials and other malicious activities that can arise from this device breach. The greatest threat from this malware is the potential to infiltrate a corporate network where IT assets are compromised and data can be exfiltrated. Many organizations have a BYOD policy which would be an ideal method of attack to create a devastating breach,” Andrew Speakmaster, founder and chief technology officer of SiO4, told SC Media.
The apps are disguised in many different iterations from image editors to calculator to space exploration tools.
“This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we’ve seen,” said Dr. Michael Covington, VP of Product Strategy at Wandera.
All the infected Android apps Wandera has discovered come from third-party app stores based in China. If you stick to installing apps from Google Play, there is no current risk of being infected by RedDrop. However, Wandera warned, “RedDrop is one of the most sophisticated pieces of Android malware that we have seen in broad distribution”.