Researchers at UK based firm Wandera have been analyzing a new Android malware called RedDrop. The malware is reported to be able to do a wide range of actions including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive. The malware was spotted initially on the mobile devices of employees of several global consultancy firms and appears to target mainly those living in China.
Researchers at Wandera have discovered 53 malware-ridden apps that are exfiltrating sensitive data from infected devices. The primary goal of these apps and the network that supports it is to get users to unknowingly send SMS messages to premium services, thus incurring financial loss. Applications that have been infected with RedDrop are being distributed through a network of more than 4,000 domains and range from tools such as image editors and calculators to recreational apps. Every observed application offers the expected functionality, thus making it difficult for users to detect themselves if they have unwittingly downloaded a malicious program.
In order to lure victims, the attackers go so far as to display ads on the popular Chinese search engine Baidu. One such ad would take the user to huxiawang.cn, the primary distribution site for the attack, which encourages users to download one of the 53 malicious apps. As China does not have an official Google Play Store, users often use search engines to find and download apps which in turn has made Android users susceptible to such malware attacks.
Once the user downloads and installs one of the infected apps the malware requests to the user to approve of invasive permissions. The malware goes so far as to ask for permissions that allow it to persist between reboots and to continuously communicate with its command and control (C&C) servers. This would enable the attacker to perform further malicious actions with no further action from the user. Once the user downloads one RedDrop infected application, the malware will silently download several other malicious programs all designed to carry out a specific functionality. In order to remain on the device and make removal incredibly hard the downloaded components are stored dynamically in the device’s memory.
In the report published by Wandera, researchers made a specific case study of one of the infected applications called CuteActress. This application was designed to send an SMS message to a premium service each time the user would touch the screen to interact with the app’s legitimate functionality. The malware would also delete all of these messages, thus erasing any evidence of these premium SMS. Perhaps far more worryingly the malware family also includes a set of spyware tools capable of extracting valuable and damaging data from the victim’s device. The Wandera researchers associated encrypted and unencrypted data, encoded data, and TCP streams to RedDrop’s exfiltration activities. Stolen data includes locally saved files (such as photos and contacts), device-related information (IMEI, IMSI, etc), SIM info (MNC, MCC, etc), application data, and information on nearby Wi-Fi networks. While all this could amount to an incredibly sophisticated spyware package, RedDrop has an ace in the hole. That being that RedDrop can also record an audio of device’s surroundings.
Wandera concluded in their report that RedDrop is possibly one of the most sophisticated pieces of Android malware that they have seen. The researchers felt that the malware authors perfected every tiny detail to ensure their actions are difficult to trace. Further, the malware family has a wide range of applications that could be used maliciously and the malware has a sophisticated distribution network of over 4,000 domains. One of the major fears associated with RedDrop relates to its spying and data exfiltration, researchers believe that the data and information stolen can easily be used to further blackmail victims. The threat is viewed to be so serious in nature it leads Dr. Michael Covington, VP of Product Strategy at Wandera to issue the following statement:
“This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we’ve seen,”
To that extent, Wandera advises that in order to protect from such a threat, users should disable downloads from third-party app stores, unless absolutely necessary for business functionality. Their research indicated that more than 20% of corporate Android devices allow third-party installations, so a significant number of devices are vulnerable to this threat.
While Wandera appears convinced as to the seriousness and potential danger offered by RedDrop, there is no absolute consensus amongst the security community. Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team believes that RedDrop is merely “a very amateur trial run” which is solely dependent on the user approving some incredibly pervasive permissions in order steal data. Young further argues that
“There is nothing new about this malware… Android users do not need to do anything more than normal to guard against this threat. Default settings on all supported releases of Android should be pretty well protected against by installing only from trusted sources and leaving Google Play Protect enabled. It is also, of course, important to be mindful about what permissions are requested by apps.”
Between Wandera’s stark warnings and Young’s opinion and very practical advice on how to defend against such attacks probably lies the truth of the matter. While there exists a difference of opinion as to RedDrop it is still a malware family that can cause damage and financial loss. The malware further highlights the importance of how we interact with technology and how workforces could do more to educate their workforce as to the dangers associated. By having up to date company cybersecurity policies companies and users, if they followed the policies to the letter, would make life much harder for hackers. Such policies could go a long way in preventing amateur malware authors from making off with hard earned funds.