A new family of mobile malware called RedDrop exfiltrates victims' sensitive data including ambient audio recordings and sends it to cloud storage services. Wandera, a mobile security firm which spotted weaknesses in the CBS Sports app and mobile site back in 2016, uncovered the malware when a user clicked on an ad for the Chinese search engine Baidu. Their action redirected them to huxiawang[dot]cn, a distribution site which contains landing pages encouraging users to download one of 53 apps tainted by RedDrop. Those affected programs claim to help users learn a new language or dive into space exploration, for example, with engaging functionality.
Some of the RedDrop-infected apps. (Source: Wandera) As it turns out, huxiawang[dot]cn uses a series of redirects across a content delivery network (CDN) consisting of over 4,000 domains. Those responsible for the malware no doubt designed these intricacies intentionally for the purpose of concealing RedDrop's source. Upon successful installation, the malicious app requests excessive privileges from the user. It then abuses those rights to silently install seven or more malicious APKs from its command and control (C&C) server. One of those APKs is a trojan. Another is a dropper capable of installing other APKs. Another still is a capability that sends an SMS message to a premium service and then immediately deletes it every time the user taps the screen while interacting with the app. Those capabilities pale in comparison to RedDrop's most serious component: spyware which records audio of the device's surrounding and then exfiltrates it along with application data, SIM-related information, and local data like photos and contacts to attacker-controlled Dropbox and Google Drive folders. There, bad actors can weaponize the information to launch additional attacks.
The RedDrop infection chain. (Source: Wandera) With its complex structure and intricate CDN, RedDrop stands out in the mind of Wandera VP of Product Strategy Dr. Michael Covington. As quoted in Wandera's write-up of the threat:
This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we’ve seen.
Users can best protect themselves against threats like RedDrop by downloading apps from only official app marketplaces and by carefully reviewing the permissions of a program before approving its installation. Enterprises should reinforce these best practices with employee security awareness training and policies that emphasize application management including whitelisting and blacklisting. To learn more about how Tripwire can help you stay secure, click here.