A new Android malware dubbed RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.
The malware was first spotted by UK mobile security firm Wandera on the phones of employees of several global consultancy firms.
Despite an impressive array of intrusive features that could easily classify it as spyware, the malware wasn’t part of a cyber-espionage operation but was primarily used to subscribe users to premium SMS numbers that netted the RedDrop authors a profit.
Malware primarily active in China
The malware is primarily active in China. Because there’s no official Google Play Store in China, users usually rely on search engines to find apps, which is RedDrop’s primary distribution method. A typical RedDrop infection chain looks like this:
① User searches Baidu for an Android app.
② A poisoned search result redirects users through countless of domains until they land on a third-party app store.
③ User installs a RedDrop-infected app that asks for intrusive permissions.
④ Malware gets boot persistence and then gathers basic device data that it sends to a remote C&C server.
⑤ RedDrop downloads and installs seven other apps that provide the malware with additional functions.
⑥ User launches and interacts with the app.
⑦ RedDrop’s primary goal is to subscribe the user to premium SMS services and delete any incoming confirmation texts that may alert the user.
⑧ Malware also steals phone data such as photos, files, and contact list. It optionally makes recordings of nearby audio. RedDrop sends all these files to remote Dropbox and Google Drive accounts.
Stolen files and audio records may be used for blackmail
Researchers believe the malware steals users’ personal files and records nearby audio just in case its author may want to blackmail some of the infected users if RedDrop manages to infect a wealthy person, businessman, or politician.
Wandera says it discovered RedDrop inside at least 53 apps offered for download on third-party stores. One of the most absurd apps is called CuteActress.
“The CuteActress app ostensibly functions as an adult-themed game in which the user must rub the screen in order to reveal a seductively-dressed female,” Wandera researchers say. “Each time the screen is ‘rubbed,’ the user is unknowingly sending an SMS message to a premium service.”
Recently we have covered, Hackers spread Android spyware through Facebook using Fake profiles.
Chinese or non-Chinese users who want to avoid falling victims to such apps are advised to make sure device settings disallow third-party app installations, avoid rooting their own devices and triple-check an app’s permissions before installing it.