Researchers at Wandera have discovered a new Android malware that is now being dubbed “RedDrop.” While there are plenty of malware versions out there a good portion of them look to extort money from the victim. These are usually referred to as ransomware due to their nature of holding content belonging to the user for ‘ransom.’ Most typically, by blocking the victim’s access to the content. However, RedDrop is a little different in this respect, as not only does it not block access for the victim, but there is a good chance the user will remain unaware of the malware - until a blackmail ransom is requested.
This is due to RedDrop's priority of amassing the victim’s data, not locking it. As the researchers state RedDrop is primarily concerned with copying all of the data and information it can from an infected device to a Dropbox or Google Drive folder accessible by the attacker(s). The malware is also said to specifically be interested in identifying and copying sensitive data with a view to allowing the attackers to blackmail the user at a later time. While copying of personal information, photos, videos, and so on, seems to be the primary goal of the malware, it also has the ability to effectively create new and usable material, as it can for example, activate the device’s microphone and record what it hears. Likewise, as a side revenue stream the malware also interprets every click by the user within one of the culprit apps as a command to send an SMS message to a premium-rate number. Also while instantly deleting the bread crumbs related to the action at the same time.
This is all made possible by the mechanics of the malware. As once a target app has been downloaded by the user (which Wandera currently states exceeds fifty different apps), the app has the ability to deploy additional apps by downloading them. These then have the further ability to run in the background and work in harmony to carry out the fundamentals of the attack. As is usually the case with malware, there are varying levels to how susceptible an individual and their device is to RedDrop. For example, the researchers note that as the app involves trying to escalate permissions, devices running on Android 8.0 (Oreo) are less prone to the effects - due to Oreo’s ability to notify device owners of a change in permissions. Although Oreo aside the researchers explain the single biggest proactive protective measure device owners can take is disabling the device's ability to install third-party apps. Therefore, while Wandera is positioning this as “one of the most sophisticated pieces of Android malware that we have seen in broad distribution” it also does seem to be one that is easily protected against through basic safeguards: disabling third-party app installation, running the most up to date version of Android, and monitoring new permission requests.