Advisory on RedDrop Exploit

Risk:                 HIGH                 

Damage:          HIGH          

Advisory ID:      ngCERT-2018-0016

Platforms:         Android OS

Date:                19 March, 2018

Summary

RedDrop is one of the most sophisticated android malware variant that exist. A total of 53 new malicious applications have so far been discovered to be harbouring this malware variant. The malware family also includes a set of spyware tools capable of extracting valuable and damaging data from the victim’s device. The Wandera researchers associated encrypted and unencrypted data, encoded data and TCP streams to RedDrop’s exfiltration activities. Meanwhile, the android applications malware is said to be pervasive in china.

Description and Consequences

RedDrop is a zero-day threat discovered by Wandera’s mobile threat research team based in UK. It is a family of mobile malware that inflict financial costs and critical data loss on infected devices. The apps are being promoted via ads displayed on the popular Chinese search engine Baidu. It was also reported that those who click on the ads are taken to huxiawang.cn, which is the primary distribution site for the attack. The landing pages that follow hosts various content to encourage and incite the user to download one of the 53 apps within the RedDrop family of malicious apps.

Once the RedDrop-infected apps are installed the program silently downloads an additional seven Android application packages (APK) that add additional spyware and malicious components such as trojans, premium SMS functionality and additional dropper software. This functionality is aimed at making the malware trick the victim to unknowingly submit expensive SMS messages to a premium service.

More disturbing is the fact that the malware having fully gained entrance in the target device, will extract a devastating amount of personal data, including live recordings of the infected device's surroundings, files, photos, contacts, device intelligence, application data and Wi-Fi information. The extracted data is then transmitted to the attacker's personal Dropbox or Google Drive folder without arousing any suspicion. The data provides the attacker with more device-centric information. 

Solution

Users can best protect themselves against threats like RedDrop by downloading apps from only official app marketplaces. In addition, observe the followings in line with best practice:

  1.  Change your device settings to disallow third-party downloads.
  2. Avoid rooting your device.
  3. Carefully reviewing the permissions of a program before approving its installation. 
  4. Deploy a security solution that can monitor and block command and control (C&C) traffic at the device level.

References

  • https://www.wandera.com/blog/reddrop-malware/
  • https://threatpost.com/sophisticated-reddrop-malware-targets-android-phones/130170/
  • https://www.scmagazineuk.com/reddrop-malware-runs-up-big-bills-on-android-smartphones-and-spies-on-users/article/747588/
  • https://www.tripwire.com/state-of-security/latest-security-news/reddrop-malware-records-audio-and-exfiltrates-it-to-cloud-storage-services/
  • https://www.securityweek.com/reddrop-mobile-malware-records-ambient-audio
image
Security Alert

& Advisory

Read More image
image
We Love to

Hear From You

Send Your Enquiry Here image
Join Our Newsletter