“RedDrop” Mobile Malware Records Ambient Audio
A newly detailed mobile malware can do more than steal data from infected devices: it can also record ambient audio and send the recordings to cloud storage accounts controlled by attackers. Dubbed RedDrop, the malware can also inflict financial costs on victims by sending SMS messages to premium services, security firm Wandera says. The U.K.-based company has discovered 53 malware-ridden apps that are exfiltrating sensitive data from infected devices.
RedDrop-infected applications are being distributed through a network of more than 4,000 domains and range from tools such as image editors and calculators to recreational apps. Every observed application offers the expected functionality, thus hiding the malicious content stored within. Once the user installs an application from the RedDrop family, invasive permissions are requested, so that the next steps of the attack would be performed without additional user interaction, the security researchers reveal.
The malware even asks for permissions that allow it to persist between reboots and to continuously communicate with its command and control (C&C) servers. To lure victims to their malicious network, the attackers even display ads on the popular Chinese search engine Baidu. One such ad would take the user to huxiawang.cn, the primary distribution site for the attack, which encourages users to download one of the 53 malicious apps.
Once the user installs a RedDrop-infected application, 7 additional APKs are silently downloaded and executed on the device, each meant to enable additional malicious functionality. The downloaded components are stored dynamically into the device's memory. One of the observed applications (CuteActress) was designed to send an SMS message to a premium service each time the user would touch the screen to interact with the app's legitimate functionality.
The threat would also delete all of these messages, thus erasing any evidence of these premium SMS. The RedDrop malware family also includes a set of spyware tools capable of extracting valuable and damaging data from the victim's device. The Wandera researchers associated encrypted and unencrypted data, encoded data and TCP streams to RedDrop's exfiltration activities.
Stolen data includes locally saved files (such as photos and contacts), device-related information (IMEI, IMSI, etc), SIM info (MNC, MCC, etc), application data, and information on nearby Wi-Fi networks. More disturbing is the fact that RedDrop can also record an audio of device's surroundings. According to Wandera, RedDrop is one of the most sophisticated Android malware families, given the range of functioning malicious applications it hides behind and its complex distribution network.
The malware is expected to remain active even after the applications are flagged as malicious, and new variants are expected to emerge in the coming months. "This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent.
This is one of the more persistent malware variants we've seen," Dr Michael Covington, VP of Product Strategy at Wandera, says. According to Craig Young, computer security researcher for Tripwire, this is not the first time Android malware that includes such extensive spyware capabilities has been discovered and the research appears exaggerated. "This looks more like a very amateur trial run of Android malware rather than "one of the most sophisticated pieces of Android malware" as claimed by Wandera," Young told SecurityWeek in an emailed comment.
He also pointed out that the malware's ability to record and upload calls "provides minimal value outside of targeted attacks and potentially makes the malware more apparent by draining a victim's battery quickly." Young recommends paying extra attention to the permissions applications may request, as this is a great means to stay safe from infections. "With Android 6 (released 2015), apps will request permissions at runtime which should make it abundantly obvious when a malicious app wants to do something like sending SMS or recording audio.
Users of older Android releases must rely instead on reviewing the requested permissions at install time to confirm that they are appropriate for the app," Young concluded.