New Android Malware Family Highlights Evolving Mobile Threat Capabilities

RedDrop, a new family of malicious software found lurking in dozens of seemingly benign Android applications, is the latest indication of the increasingly dangerous capabilities that threat actors have begun integrating into modern mobile malware.

Security vendor Wandera recently discovered RedDrop hidden in 53 working Android applications, such as image editors, calculators, language learning apps, space exploration apps, and other educational, recreational, and practical tools. Each application functions as the user would expect, while executing malicious actions in the background.

Once an infected app is installed on an Android device, it downloads at least seven more Android Application Packages (APKs), each with its own malicious functionality and from a different command and control server. The APKs are stored in the system's memory, giving attackers a way to execute them without having to embed the functionality in the original malware sample, Wandera said.

Data the malware is capable of stealing includes all locally saved files, including photos, contacts, and images; live recordings of the device's surroundings; device and subscriber identifiers; application data; and SIM data.

When users interact with a RedDrop-infected app, it also secretly sends a cost-incurring SMS message to a premium service and then instantly deletes the message to avoid detection by the user. All data stolen from infected systems is uploaded to remote file storage systems controlled by the attackers for potential use in future extortion schemes or to launch further attacks, according to Wandera.

RedDrop apps are being distributed from a network of over 4,000 domains, all registered to a single group that looks like it might be operating out of China. Eldar Tuvey, Wandera's co-founder and CEO, says that several infection vectors are being used to distribute the RedDrop family of malware.

The one with the broadest reach is through Chinese search giant Baidu.com, but users could also visit Sky-mobi, which happens to run one of the largest Android app stores in the world, he says. "We also believe advertising networks are being exploited by criminals in order to entice users towards the downloads."

As with most Android malware tools — and indeed most mobile malware — RedDrop poses a threat mainly to users who voluntarily download apps from third-party sources and websites, something that security researchers have long warned against. People who download their apps only from Google's official Play store or from properly vetted enterprise app stores are safe from the threat for the moment. Also for the moment, RedDrop appears to be primarily aiming at Android users in China, though many of the infected apps also target European and American users.

But underestimating mobile threats like RedDrop for such reasons might be a mistake. "Our data shows that around 20.6% of Android users have their configurations set to allow third-party installations," Tuvey says. Despite warnings, many users are still willing to take the risks that come with installations through unofficial app stores, he says.

"In order to protect themselves from these types of threats, individuals and organizations with vulnerable devices should disable downloads from third-party app stores, unless absolutely necessary for business functionality," Tuvey says.

Criminals have also begun ramping up threat activity targeted at mobile devices. In a report earlier this week, Trend Micro noted a sharp increase in the volume of mobile ransomware, banking Trojans, and other malware over the past year. Many of the threats are directed at Android devices, though Apple's iOS is not immune either, according to Trend Micro.  

Ominously, threat actors have become increasingly better at uploading malware-laden apps to Google's Play store, according to the Trend Micro report. As a result, users downloading their apps from there cannot be absolutely certain about their security either. Unsurprisingly, given the rapidly evolving threat landscape, four out of 10 enterprises see mobile devices posing a significant risk to their security.

"Android has an above-average amount of known security vulnerabilities, and hackers know this," says Paul Bischoff, privacy advocate at Comparitech. Organizations that provide Android devices for work should consider setting up a guest account on each device, he says. "Guest accounts in Android cannot install apps from third-party sources due to a lower level of privileges. The main admin account should be password-protected."

If employees are allowed to use their own Android devices, clear guidelines need to be laid out about what work-related activities are allowed on their phones and what security measures need to be in place, Bischoff says. Security administrators need to instruct employees not to change the "allow apps from unknown sources" setting on any personal phones used for work.

Organizations should also update their Android devices to Android Oreo, the latest version of the operating system, Tuvey says. Oreo includes controls that make it easier for users to detect and block apps with invasive permissions. Unfortunately, almost half of all installed Android devices are running versions of the operating system that predate the previous Marshmallow version and can be easily bypassed by RedDrop, Bischoff says.

Related content:

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.