IT security researchers have discovered an android malware which aims at stealing personal data from Android devices, recording live calls and surrounding noises in order to blackmail the victim – Dubbed RedDrop by Wandera researchers, the malware was discovered in 53 applications on third-party app stores including calculators, image editors, languages teaching and space exploration apps.
All the infected apps request invasive permissions but one of the requests allows the malware to be persistent between reboots which is destructive for targeted Android devices. Moreover, cybercriminals behind the development of RedDrop malware have been using over 4,000 compromised domains to spread the infected apps.
Once the infected app is opened it further downloads seven more malicious APKs with dropper, spyware, trojan, and data exfiltration functionality. Once the user starts using the malicious app it starts sending SMS’s to a premium service using the victim’s money which goes undetected.
The data which is stolen by RedDrop’s data exfiltration functionality includes photos, contacts list, IMEI and IMSI number, SIM card information, nearby WiFi networks and live recordings of the device’s surroundings. Upon successfully collecting the data the malware sends it to the developers’ Dropbox and Google Drive folder which is used for extortion and blackmailing.
“When all of the functionality is combined, RedDrop aims to extract valuable and damaging data from the victim. As soon as the information is collected, it is transmitted back to the attackers’ personal Dropbox or Drive folders to be used in their extortion schemes and as the foundation to launch further attacks,” explained Nell Campbell of Wandera.
The malware was first spotted by researchers on a Chinese server luring victims into visiting a domain hosting adult content. However, it is still unclear who is behind its development and distribution. Here is a screenshot shared by Wandera explaining the campaign which used adult content to target victims.
“This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we’ve seen,” said Dr. Michael Covington, VP of Product Strategy at Wandera.
According to researchers, RedDrop is one of the most sophisticated Android malware that they have seen in broad distribution. Therefore, Android users are at risk and advised to download apps from Play Store or from trusted third-party sites only.