Incident Of The Week: ‘RedDrop’ Malware Targets Android Fleets

Dan Gunderman
Posted: 03/02/2018
[This story was updated March 2, 2018.]

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a malware strain believed to be both powerful and destructive – backed by an intricate content distribution network (CDN) of over 4,000 domains which help it propagate (by pushing corrupted applications).

The malware, dubbed “RedDrop,” contains Trojan files, a dropper allowing it to work in additional Android application packages (APK), spyware and screen-reading capabilities that send rate-inducing SMS messages to a premium service. All in all, it’s capable of critical data loss and data exfiltration (audio files, Wi-Fi detection, and more).

The strain was spotted by Wandera after a user clicked an ad on the popular Chinese search engine Baidu, according to Wandera’s comprehensive report. The user was then ushered to, the epicenter. Landing pages urged users to download one of 53 apps corrupted with RedDrop.

See Related: Incident Of The Week: 'Olympic Destroyer' Malware Strikes Winter Games

Of the many RedDrop apps, some of them deal in image editing, others in simple calculating. What’s more, some RedDrop apps are recreational – dabbling in space travel or world languages. The apps ostensibly work as intended, but malicious activity is being conducted beneath them.

To administer the multipronged attack, the RedDrop apps request invasive permissions. One such permission allows the malware to persist amid reboots. This places it in an advantageous position – able to communicate with command and control (C&C) servers, according to the report. At least seven APKs are installed in the background to allow for the lateral movement.

“We believe the group developed this complex CDN to obfuscate where the malware was served from, making it harder for security teams to detect the source of the threat,” the report said.

The security experts at Wandera call the variant “highly destructive” because of its deep-seated distribution network. Some of the RedDrop apps allow for user interaction, as well. That is, in some cases, when the screen is touched, the user sends the aforementioned SMS messages.

See Related: Incident Of The Week: RAT Malware Strains Believed To Be N. Korean

To aid its extortion, RedDrop reportedly collects information rapidly to transmit to Dropbox or Drive folders.

The experts that fleshed out this variant call it “one of the most sophisticated pieces of Android malware that we have seen in broad distribution.”

On the app-driven, spyware-inducing malware strain, Wandera’s Vice President of Product Strategy, Dr. Michael Covington, said, “This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent.”

Because of RedDrop’s refined functionality, it’s primed to inflict damage on users who freely give away app permissions or fail to protect devices from third-party app stores.

Users and organizations are asked to disable downloads from outside app stores – which are still an effective threat vector. Organizations in particular are asked to update their fleets to the latest version of Android, which has better threat-detection capabilities built into the operating system (OS), “Oreo.”

In response to Wandera's assessment of the RedDrop malware family, several cyber security experts have offered a rebuttal. Some have downplayed the severity of the variant.

In explaining how the strain combines spyware, Trojan and data exfiltration, The CyberWire said in its Daily Briefing that "if users take apps only from reputable sources and enable Google Play Protect, they're probably safe."

Be Sure To Check Out: 'Not Going To Automate Our Way Out': FBI's David Wallace

Dan Gunderman
Posted: 03/02/2018
The Baronette Renaissance Detroit-Novi Hotel, Novi, MI, United States
March 25 - 27, 2018
Dusit Thani Hotel, Abu Dhabi, United Arab Emirates
March 26 - 28, 2018