RedDrop mobile malware family threatens Android users

by Alice Woods - -

Google mobile operating system Android leads the global mobile market, however, Android users should take care of their smartphones and tablets due to an increasing number of malware targeting Android devices. One of them, a sophisticated strain of mobile malware named RedDrop is able to steal sensitive information, audio records, and run up premium text message charges in order to extort money from Android users.[1]

RedDrop mobile malware

RedDrop was detected by the security firm Wandera which announced that the malware is being distributed via 53 Android apps available on third-party app stores. The applications include image editors, calculators, language learning tools and even adult-themed apps. According to Wandera, the cybercriminals targeted Android users that work at the “Big Four” consultancy companies. 

“RedDrop is one of the most sophisticated pieces of Android malware that we have seen in broad distribution. Not only does the attacker utilize a wide range of functioning malicious applications to entice the victim, they’ve also perfected every tiny detail to ensure their actions are difficult to trace,” noted Wandera.

It is still not clear how many devices were infected with the malware. Wandera noted that the pace of attempted infections was accelerating. The security firm has initially discovered RedDrop and already has blocked about 20 further requests from an application that were infected with the malware to reach the RedDrop distribution network which spreads the malware. 

The Chinese-based search engine, called Baidu promotes the infected applications. Security researchers at Wandera wrote that users that click on those adverts are “taken to huxiawang[.]cn, the primary distribution site for the attack. The landing pages that follow host various content to encourage and invite the user to download one of the 53 apps within the RedDrop family of malicious apps.”

Once a victim installs a RedDrop infected application, the software quietly downloads seven additional Android application packages (APK) that infect the device with spyware and other malicious components including Trojans, premium SMS functionality, and additional dropper software.

Every time the victim interacts with the infected application, it secretly sends the text message to a premium number. In order to hide this malicious activity, the SMS message is instantly deleted before the victim can detect it. 

The infected applications are also able to harvest sensitive and private data, including important files, photos, contacts. They are also capable of recording audio and extracting locally saved files. The stolen data is uploaded to the cybercriminal’s Dropbox account and can be used for possible extortion purposes.[2]

Apps within the RedDrop family request invasive permissions enabling the attack to be conducted without requesting further interaction from the user. One of the more destructive permissions allows the malware to be persistent between reboots. Granting it the ability to constantly communicate with command and control (C2) servers, permitting the covert activation of its malicious functionality.

The malware was first detected at a “Big Four” consultancy company when the security firm Wandera noticed the unusual network traffic from one of the employee’s mobile device to a number of malicious web pages. 

Further investigation revealed an APK file being hosted on these domains, and from there more information about the wider threat was uncovered.

Cybercriminals apply the method that enables them to stealthily execute addition malicious APKs without injecting them directly into the initial sample because, after the installation, RedDrop-infected applications downloads additional malicious packages from the hacker’s C2 servers, and stores them in the victim’s device’s memory. 

The security filters are tricked by using a pool of more than 4,000 domains to spread the infected applications. This way users are redirected multiple times. 

Even though these infected applications are flagged as malicious, it is likely that the malware strain will remain to be used by cybercriminals. For instance, in the case of SLocker, cybercriminals were available to create more variants of already known malware in order to bypass security and protection measures. “We expect the same to be true of RedDrop in the coming months,” – wrote security experts. 



About the author

Alice Woods
Alice Woods - Antivirus software analyst

Alice Woods is an anti-malware analyst at She is passionate about testing new pieces of software and discovering pros and cons of each program.

Contact Alice Woods
About the company Esolutions


now online
Like us on Facebook