A previously unrecorded threat has been uncovered that has 53 still operating apps distributing RedDrop malware which can exfiltrate a wide range of data from a victim’s mobile device.
The malware was discovered by researchers at Wandera who found it being distributed using a complex interconnected content distribution network through 4,000 domains worldwide all done in order to obfuscate itself and evade detection. Wandera found RedDrop to be extremely dangerous and destructive. In a single drive by attack it can deliver seven or more more malicious APKs unbeknownst to the victim from its C&C server that have a wide variety of malicious activities.
These include trojans, droppers, spyware and data extractors. Some of the information the latter malware removes include photos, contacts, images, audio recordings of the device’s surrounding area and device related information.
The malicious apps themselves pose as everything from space exploration to image editors and calculators. Wandera pointed out that each app is well designed and fully functional, which helps make it look innocent to the user.
“This multifaceted hybrid attack is entirely unique. The maliciuos actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we’ve seen,” said Dr Michael Covington, VP of Product Strategy at Wandera.
The type of information that is pulled from the device is destructive on both the personal and possibly corporate level. Not only can a person lose access to PII, but if the device is used for work it can endanger business activities.
“Once the threat actor is able to extract PII from the device, the victim is open to identity fraud, compromised credentials and other malicious activities that can arise from this device breach. The greatest threat from this malware is the potential to infiltrate a corporate network where IT assets are compromised and data can be exfiltrated. Many organizations have a BYOD policy which would be an ideal method of attack to create a devastating breach,” Andrew Speakmaster, founder and chief technology officer of SiO4, told SC Media.
Because RedDrop greatly increases the attack surface to include personal devices possibly operated by a person who will download apps from a third-party store large organizations need to develop protective measures.
“Tools like RedDrop can enable the compromise of an entire corporate network, by clandestinely riding in camouflage within infected Android devices. This raises the imperative for enterprise and government to better understand how they will provide end-to-end data protection for cloud and on-premise based resources knowing that network penetration by an attacker becomes much more likely each and every day,” said CipherCloud chief marketing officer Anthony James.