Dodgy man looking at a smartphone
A new strain of malware has been found spying on users, stealing data and charging users in the process iStock

Security researchers have discovered a nasty strain of Android malware designed to secretly spy on users, steal sensitive data from infected devices including full audio recordings and rack up a huge phone bill in the process. According to UK-based mobile security and data management firm Wandera, the malicious spyware dubbed RedDrop has been lurking in at least 53 new mobile applications masquerading as useful tools such as image editors, calculators to language learning apps.

"Each one is intricately built to provide entertaining or useful functionality – to act as a seemingly innocent guise for the malicious content stored within," Wandera researchers wrote in a blog post. "Wandera's machine learning detections first uncovered one of the RedDrop apps when a user clicked on an ad displaying on popular Chinese search engine Baidu. The user was then taken to huxiawang.cn, the primary distribution site for the attack."

The landing page is filled with content enticing the viewer to download one of the 53 malware-laced apps. The researchers said this is just one of more than 4,000 domains used by the RedDrop creators to distribute these apps and spread the malware.

"We believe the group developed this complex CDN [content distribution network] to obfuscate where the malware was served from, making it harder for security teams to detect the source of the threat," researchers said.

These RedDrop apps contain neatly arranged malicious embedded files. Once installed, the malware downloads additional payloads such as APKs and JAR files from various C&C servers and dynamically stores them in the device's memory.

"This technique allows the attacker to stealthily execute additional malicious APKs without having to embed them straight into the initial sample," the researchers said.

Each RedDrop app claims to offer a clear functionality that requires the user to interact with their phone. However, in one sample, the user unknowingly sends an SMS message to a premium service every time they touch the phone's screen within the app. One example included an adult-themed gaming app called "CuteActress" in which the user is prompted to rub the screen to reveal a seductively-clad woman.

As the victim continues to incur charges and rack up a huge phone bill, the malware stealthily deletes these sent messages almost instantly to avoid detection.

malicious apps
Some of the dubious apps found distributing the RedDrop malware Wandera

RedDrop also comes with an array of spyware tools to harvest a trove of encrypted and unencrypted personal user data such as photos, contacts, images, device-related details such as IMEI and IMSI, the SIM's mobile country code and mobile network code, app data and nearby Wi-Fi networks. It can also secretly record audio of phone calls among other live recordings of its surroundings.

Once collected, the data is then sent to the attackers' personal DropBox or Drive folders to be used in future extortion schemes or cyberattacks.

"This multifaceted hybrid attack is entirely unique," Dr Michael Covington, vice president of product strategy at Wandera said. "The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we've seen."

The researchers have described RedDrop as "one of the most sophisticated pieces of Android malware that we have seen in broad distribution."

"Not only does the attacker utilise a wide range of functioning malicious applications to entice the victim, they've also perfected every tiny detail to ensure their actions are difficult to trace," the researchers said. "The group that built this malware have planned it exceedingly well."

Some apps found distributing RedDrop include "Video Blocker", "Ninja Slice", "Paint It", "Hot Tone" and "Plus Italy" among others. However, these apps are currently only available via third-party sites and not the official Google Play Store.

"It's likely that RedDrop will continue to be employed by attackers even after these apps are flagged as malicious," the researchers noted.