Sophisticated RedDrop malware spies on Android users

Data-stealing RedDrop malware spread in 53 infected apps on third-party stores

RedDrop malware spies on Android users

Android users were in the target eye of the mobile malware developers again. Recently, a sophisticated RedDrop malware[1] was noticed spreading via ads on Chinese search engine Baidu. Malicious ads redirect to one of 4,000 domains that asked to install an obfuscated application. Users who fell for this track get their personal information stolen and received an enormous phone bill.

Mobile security firm Wandera spotted RedDrop malware and analyzed its operation. According to the research,[2] this version of Android virus is one of the most advanced mobile cyber threats yet. After the infiltration, malware gets access to contacts, pictures, and other sensitive information. It also sends SMS messages to the premium services and records everything that happens in the surroundings.

This newly discovered Android virus was noticed spreading via 53 different apps, including language learning applications, image and photo editors, adult-themed apps, etc. Infected applications were available on third-party stores only and did not make it to Google Play Store. Fortunately, applications with RedDrop virus were successfully removed.

RedDrop malware steals personal information and stores in the remote Dropbox account

Android malware was noticed spreading via malicious ads. Once clicked, it redirected to huxiawang[.]cn site which leads to one of 4,000 different domains. These sites offered to install various mobile applications. Malicious apps were created so perfectly that they can bypass malware detection mechanisms.

When a malicious app gets on Android device, it connects to the Command and Control server. It downloads more than 7 APKs and additional JAR files which run malicious activities. Therefore, apps itself does not contain malicious components which might be detected by security programs.

The main purpose of the RedDrop is to steal private information and send it to remote Dropbox accounts that belong to cyber criminals. Malware collects these details:

  • locally saved files, such as photos and contacts;
  • live recordings it starts taking soon after the infiltration;
  • technical information about infected device and SIM;
  • application data;
  • nearby Wi-Fi networks.

This Android virus is sophisticated spyware that steals everything that is stored on victim’s smartphone. Additionally, it records what happens around and saves information in remote storage services. In this way, victim’s privacy is in a huge risk. Currently, it’s unknown how hackers are using aggregated details. However, this situation does not promise anything good.

Malware sends SMS to premium services

Apart from collecting personal information about users, malware also sends SMS messages[3] on behalf of the victim. As soon as a person opens an obfuscated app and touches mobile’s screen, malware automatically sends a message to one of many premium services.

However, users cannot suspect anything until they receive a phone bill. RedDrop malware deletes all sent messages. Therefore, victims can only see that they were charged for unknown services once they receive an enormous bill.

Avoid Android malware

Nevertheless, apps that spread RedDrop was deleted; there are countless other mobile cyber threats you should watch out. The first and the most important tip – stay away from third-party app stores.[4] Download apps only from Google Play store.

However, you can trust Google Play Store is not 100% safe place. Mobile viruses and spyware can sneak into it too. For this reason, you always have to double-check the information about developers, reads user reviews and attentively read app permissions. [5]

If the app received many negative reviews or asks too much access to your device, do not install it. Additionally, it is highly recommended to protect your smartphone with a reliable antivirus.

About the author
Lucia Danes
Lucia Danes - Security researcher

Lucia Danes is the news editor at UGetFix. She is always on the move because the eager for knowledge makes her travel around the globe and attend InfoSec events and conferences.

Contact Lucia Danes
About the company Esolutions