RedDrop nasty infects Androids via adult links, records sound, and fires off premium-rate texts

Baidu users, beware

By John Leyden

Posted in Security, 2nd March 2018 16:37 GMT

A newly discovered strain of Android malware makes live recordings of ambient audio around an infected device.

The RedDrop nasty also harvests and uploads files, photos, contacts, application data, config files and Wi-Fi information from infected kit. Both Dropbox and Google Drive are being used as temporary storage by the attackers.

Infected devices submit expensive SMS messages to a premium service, enriching crooks in the process. Hundreds of infections related to the malware have been spotted by security firms, with Chinese users among the most heavily affected.

Enterprise mobile security firm Wandera discovered the malware when an employee from a US-based "Big Four" consulting firm used their mobile web browser to click on a link displayed on Chinese search engine Baidu. The user was then directed to a site displaying adult content, which was detected as suspicious and blocked.

Upon further investigation, Wandera discovered 53+ innocent-looking apps that front-end the malware, as well as an intricate distribution network of 3,000+ hosting locations, used to maximise reach to end-user devices. "We believe that the multiple distribution URLs, the distinct web properties used to host the APKs and the countless versions of each bit of added functionality all point to the attacker’s attempt to keep the malware from becoming stale and subject to signature-based blocks," Wandera said.

Apps ranging from business tools to games have been contaminated to carry the malware, according to Wandera. Chinese search giant and the Sky Mobi Android app store are both being abused to distribute the nasty.

RedDrop Android malware infection cycle [Source: Wandera]

The threat is one of the most advanced examples of Android malware Wandera has seen. "From the download sites and referrers to the C&C and data exfiltration, the attackers who built this malware planned it well," the firm concludes. "On the device itself, the malware was designed to be resilient and to persist across system changes and updates."

Security watchers at Kaspersky Lab are less impressed by the threat, which they reckon has largely been a problem for Chinese smartphone users searching for smut.

"Kaspersky Lab is aware of this threat since September 2017," said security research staffer Victor Chebyshev. "RedDrop is malware capable of spying on its victims (it can collect data about a victim's device, including data from memory card and contacts list) and discreetly make a device buy paid-for subscriptions, which can result in users facing financial risk.

"We have seen hundreds of unique RedDrop detections across the world, mostly from Chinese users. The malware is spreading via third-party platforms that disguise the software as adult applications. Kaspersky Lab products have successfully detected and blocked RedDrop from September 2017." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole

Hey, govt hacker bod. Made some really nasty malware? Don't be upset if it returns to bite you

RSA 2018 Cough, cough, EternalBlue, cough, cough Wannacry, splutter, Stuxnet

Infosec brainiacs release public dataset to classify new malware using AI

Data is the secret sauce to advancing AI research

Crumbs! Crunchyroll distributed malware for a couple of hours

Anime-streamer is fine again, and disinfection is easy

Researchers create AI attacker to defeat AI malware defender

It's like Spy Vs Spy, but with neural network boffins

Slingshot malware uses cunning plan to find a route to sysadmins

Advanced router code has been in circulation for six years

'R2D2' stops disk-wipe malware before it executes evil commands

'Reactive Redundancy for Data Destruction Protection' stops the likes of Shamoon and Stonedrill before they hit 'erase'

Surprise: Norks not actually behind Olympic Destroyer malware outbreak – Kaspersky

Who framed Pyongyang, then, we wonder

Taiwanese cops give malware-laden USB sticks as prizes for security quiz

What was second prize? We think we'd rather have that