SAN FRANCISCO, CA: February 27, 2018 – Wandera has discovered a new family of Android malware, called RedDrop that causes critical harm to any infected mobile device. Wandera researchers believe that RedDrop is one of the most sophisticated pieces of Android malware ever seen in broad distribution and with such an extensive network of supporting infrastructure. This zero-day threat is currently unknown to the security community.

Wandera warns that any user on an Android device could potentially fall victim to this malware. Once fully installed, RedDrop will extract a devastating amount of personal data, including live recordings of the infected device’s surroundings, files, photos, contacts, device intelligence, application data, and Wi-Fi information. The malware also makes the victim unwittingly submit expensive SMS messages to a premium service. The exfiltrated data is then transmitted to the attacker’s personal Dropbox or Google Drive folder – without arousing any suspicion.

Wandera first discovered the malware when an employee from a US-based “Big Four” consulting firm used their mobile web browser to click on a link displayed on Chinese search engine Baidu – the fourth most visited site in the world. The user was then directed to a site displaying adult content, which was detected as suspicious by Wandera’s machine learning engine MI:RIAM and subsequently blocked. Upon further investigation, Wandera discovered 53+ seemingly innocent looking apps that front-end the malware, as well as an intricate distribution network of 3,000+ registered to the same group, used to maximize reach to end-user devices.

There are several infection vectors being used to distribute the RedDrop family of malware. The one with the broadest reach is through the search giant But users could also visit Sky Mobi, which happens to run one of the largest Android app stores in the world. Both sites would ultimately direct the user to download the initial malicious app, which would be masquerading as an app with legitimate functionality for the end user.

Wandera has also established that RedDrop malware possesses an excellent ability to evade detection. The multiple distribution URLs, the distinct web properties used to host the APKs and the countless versions of each bit of added functionality – all point to the attacker’s attempt to keep the malware from becoming stale and subject to signature-based blocks. Furthermore, the network infrastructure supporting RedDrop keeps evolving as well. Wandera researchers have seen numerous command & control servers used, as well as different exfiltration sites employed to continuously change the overall ‘fingerprint’ of the malware.

Michael Covington, VP of Product Strategy at Wandera said, “This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we’ve seen recently. From the download sites and referrers to the C&C and data exfiltration, the attackers who built this malware planned it well. On the device itself, the malware was designed to be resilient and to persist across system changes and updates. The fact that 8 files are ultimately downloaded and installed to work in tandem, without the victim’s knowledge, shows how sophisticated these developers were in the design.”

Wandera is warning individuals and organizations with vulnerable devices to disable third-party app stores, unless absolutely necessary for business functionality. Other recommendations include enterprise devices being equipped with a security tool that prevents threats in the network, so additional downloads from unofficial sites, command & control and data exfiltration connections can be identified and blocked.

Eldar Tuvey, CEO at Wandera concluded, “The security industry has shifted away from solutions that run exclusively on the desktop – and now favor a combination of endpoint and network-based defenses. I suspect that malware incidents like RedDrop will move mobile solutions, which rely heavily on device-based detection capabilities today, closer to that industry standard. The only reason that we were able to detect and dissect RedDrop to this extent – is because our extensive network coverage allowed our researchers to understand – not only the malware itself but the tremendous infrastructure that supports it.”

Media Contact:

Liarna LaPorta