It has been reported that a newly uncovered form of Android malware called RedDrop has the ability to steal critical information from infected devices. The research was conducted by security company Wandera, which stated that RedDrop was able to harvest full audio recordings of phone calls and also had the capability of secretly sending SMS messages to a premium rate service, increasing the users phone bill. IT security experts commented below.
Craig Young, Computer Security Researcher at Tripwire:
“There is nothing new about this malware. This looks more like a very amateur trial run of Android malware rather than “one of the most sophisticated pieces of Android malware” as claimed by the researhers. Based on their report, this malware is not exploiting any vulnerabilities but instead relies on users installing a malicious application which requests many permissions. While it may not be common for Android malware to record and upload calls, I suspect this is because it provides minimal value outside of targeted attacks and potentially makes the malware more apparent by draining victim’s battery quickly.
Android users do not need to do anything more than normal to guard against this threat. Default settings on all supported releases of Android should be pretty well protected against by installing only from trusted sources and leaving Google Play Protect enabled. It is also of course important to be mindful about what permissions are requested by apps. With Android 6 (released 2015), apps will request permissions at runtime which should make it abundantly obvious when a malicious app wants to do something like sending SMS or recording audio. Users of older Android releases must rely instead on reviewing the requested permissions at install time to confirm that they are appropriate for the app.”
Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:
“The Android platform has long been exploited by sophisticated spying trojans. We have seen this with both Pegasus and SunTeam.
Pegasus was an espionage campaign by the Israel-based NSO Group. capable of keylogging, screenshot capture, live audio and video capture, and data exfiltration from common social media applications.
Android phones are more likely to get malware than iPhones for two reasons. One, the Google Play app store is less strict at filtering malicious apps than the Apple App Store; and two, most Android phones are not up-to-date. According to Google’s developer dashboard, most Android users are on the 6.0 Marshmallow version – several versions behind, and less than one percent of users is running the newest 8.1 Oreo version.”
Mounir Hahad, Head of Tthreat Research at Juniper Networks:
“Android devices are a prime target for cyber criminals because they can natively download applications from non-Google approved marketplaces. Some of these application portals have little to no regard for the security risk of the applications they host. Even Google Play, for that matter, is not as good as the Apple App Store in picking up on malicious applications.
The real question is when are enterprises that allow BYOD going to start paying attention to this threat vector? It has been mostly ignored so far under the assumption that the enterprise does not own the device and therefore cannot remediate it. But, BYOD devices are clearly posing a security risk if they can allow for spyware to run. Lateral movement in this case is just an executive with an infected device walking into a board meeting.”
Andrew Speakmaster, Founder and Chief Technology Officer at SiO4:
“This type of malware is very dangerous for a number of reasons. First, it causes personal financial liabilities to the victim by amassing SMS and other charges via a premium rate service. However, the most devastating reason is the data exfiltration of personal files that most likely contain some sort of PII (Personal Identifiable Information). Once the threat actor is able to extract PII from the device, the victim is open to identity fraud, compromised credentials and other malicious activities that can arise from this device breach.
The greatest threat from this malware is the potential to infiltrate a corporate network where IT assets are compromised and data can be exfiltrated. Many organizations have a BYOD policy which would be an ideal method of attack to create a devastating breach.
Third-party apps should never be downloaded onto a device, only apps from trusted sources like the Google Play Store Apple App Store should be used.”
Anthony James, Chief Marketing Officer at CipherCloud:
“RedDrop has rapidly emerged as one of the newest global cyber threats to target mobile phone users. Red Drop arms sophisticated attackers with a very comprehensive and highly sophisticated surveillance system that is unknowingly hosted by the targeted host, an Android phone. The distributors of RedDrop appear to control thousands of malware-laced websites, and they use this infected network to lure and then compromise Android users.
Tools like RedDrop can enable the compromise of an entire corporate network, by clandestinely riding in camouflage within infected Android devices. This raises the imperative for enterprise and government to better understand how they will provide end-to-end data protection for cloud and on-premise based resources knowing that network penetration by an attacker becomes much more likely each and every day.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.