Threat Advisory: RedDrop - Zimperium

RedDrop is another in the long line of Android spyware apps. The malware has captured attention because of its ability to turn on microphones and exfiltrate sensitive data, but unfortunately that doesn’t make it unique. While there appears to be an elaborate network behind it, RedDrop is simply another Android spyware variant that utilizes well-known techniques that are found in many of the attacks being regularly discovered. Like the others, RedDrop is detected by Zimperium’s z9 detection engine, on device and in real-time.

RedDrop Analysis

According to the researchers that disclosed the malware, here are some salient points of RedDrop:

• A Group of at least 50 functioning apps containing the sophisticated RedDrop malware
• Apps are distributed from a complex network of 4,000+ domains registered to the same underground group
• Once the app is opened, at least seven further apps (APKs) are silently downloaded, unlocking new malicious functionality
• These additional APKs include spyware-like components, harvesting sensitive data, including passively recording the device’s audio, photos, contacts, files and more
• RedDrop then exfiltrates this data, uploading it straight into remote file storage systems for use in extortion and blackmailing purposes
• When the user interacts with the app, each interaction secretly triggers the sending of an SMS to a premium service, which is then instantly deleted before it can be detected

How Zimperium Helps Defeat RedDrop

Zimperium zIPS, powered by our core machine learning-based engine, z9, detects the RedDrop malware locally, on device, and can prevent it from executing via customer-defined policy enforcement. Additionally, exploits used by the malware to escalate privileges on the device would also be detected by z9.

For more information about Zimperium and its offerings, please visit us at www.zimperium.com.