A new Android malware strain named RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.
The malware was first spotted by UK mobile security firm Wandera on the phones of employees of several global consultancy firms.
Despite an impressive array of intrusive features that could easily classify it as spyware, the malware wasn't part of a cyber-espionage operation but was primarily used to subscribe users to premium SMS numbers that netted the RedDrop authors a profit.
Malware primarily active in China
The malware is primarily active in China. Because there's no official Google Play Store in China, users usually rely on search engines to find apps, which is RedDrop's primary distribution method. A typical RedDrop infection chain looks like this:
① User searches Baidu for an Android app.
② A poisoned search result redirects users through countless of domains until they land on a third-party app store.
③ User installs a RedDrop-infected app that asks for intrusive permissions.
④ Malware gets boot persistence and then gathers basic device data that it sends to a remote C&C server.
⑤ RedDrop downloads and installs seven other apps that provide the malware with additional functions.
⑥ User launches and interacts with the app.
⑦ RedDrop's primary goal is to subscribe the user to premium SMS services and delete any incoming confirmation texts that may alert the user.
⑧ Malware also steals phone data such as photos, files, and contact list. It optionally makes recordings of nearby audio. RedDrop sends all these files to remote Dropbox and Google Drive accounts.
