The Daily Swig Web security digest

RedDrop in the ocean: Researchers uncover sea of malware-ridden apps

James Walker | 01 March 2018 at 11:18

New mobile malware being used for SMS fraud and data harvesting.

Dozens of mobile apps have been found to contain sophisticated and previously undiscovered malware that features a range of spyware-like components in order to harvest sensitive user data.

The malware, dubbed RedDrop, has been found on 53 fully functioning Android apps – all of which are being distributed via a complex network of more than 4,000 domains.

RedDrop was discovered by researchers at mobile security firm Wandera, who found that each time a user interacts with one of the host apps, an SMS is secretly sent to a premium service before being automatically deleted.

It seems, however, that the malware’s ability to skim money from users’ accounts is the least of their worries, as a further seven Android application packages (APKs) are silently downloaded once the app is opened, unlocking new malicious functionality.

“These additional APKs include spyware-like components, harvesting sensitive data, including passively recording the device’s audio, photos, contacts, files, and more,” Wandera said.

“RedDrop then exfiltrates this data, uploading it straight into remote file storage systems for use in extortion and blackmailing purposes.”

Destructive permissions

According to Wandera, apps within the RedDrop family request “invasive” permissions once they have been downloaded, enabling the attack to be conducted without any further interaction from the user.

“One of the more destructive permissions allows the malware to be persistent between reboots, granting it the ability to constantly communicate with command and control servers,” the company stated.

RedDrop’s complex payload is matched by an equally intricate distribution network of more than 4,000 domains.

“Users were taken through a complex series of network redirects in an attempt to circumvent and evade malware detection techniques, prior to being presented with the download,” Wandera said.

Google Play all the way

Wandera’s discovery of RedDrop is the latest in a string of increasingly sophisticated mobile malware strains found in the wild over recent months.

However, although the malware’s malicious payload, persistent nature, and complex distribution network makes for sobering reading, users need not throw the baby out with the bathwater just yet.

None of the apps found to be harboring RedDrop are available on the Google Play Store – the official app store for Android devices, which features additional security measures including the requirement that all APKs are signed with a digital certificate.

By default, Android users would be alerted to untrusted apps, and the APKs would not be downloaded onto a mobile device unless the default permission settings are revoked.

With this in mind, the advice for users is clear: Don’t amend your default Android app settings, and stick to apps found only on the Google Play Store.