New Android malware steals user data, records audio and incurs phone charges

The malware has invasive capabilities that Wandera says can be used in blackmailing victims.
(Flickr / <a href='' title='Blogtrepreneur'>Blogtrepreneur</a>)

A newly discovered family of mobile malware can siphon sensitive data from unsuspecting victims’ phones, record audio and trick users into incurring premium charges on their phone bills.

Mobile security company Wandera said in its report about the malware, called RedDrop, that it is “one of the most sophisticated pieces of Android malware” it has seen in wide distribution.

RedDrop is hidden in a set of third-party apps — generally downloaded outside of official Android channels — that appear to provide some functionality, like calculators, image editors or games. The malware has invasive capabilities that Wandera says can be used to ultimately blackmail victims.

Spyware in RedDrop can collect data such as local files and photos, device information and nearby Wi-Fi networks. It can also record audio from the device’s surroundings. RedDrop sends all this data to cloud storage services belonging to the attackers “to be used in their extortion schemes and as the foundation to launch further attacks,” Wandera says.


According to Wandera, RedDrop is found in at least 53 Android apps distributed from more than 4,000 domains registered to an underground group. The apps don’t appear to have been distributed by the Google Play Store; rather, they are third-party apps presented to victims through advertisements. When it comes to malicious apps on the official app store, Google says it is removing thousands per day.

Wandera says it discovered the malware when its machine-learning engine blocked a suspicious download from an ad on Baidu, a popular Chinese search engine. If an unsuspecting user clicks on the ad, they are “taken through a complex series of network redirects in an attempt to circumvent and evade malware detection techniques, prior to being presented with the download.”

“Each [app] is intricately built to provide entertaining or useful functionality – to act as a seemingly innocent guise for the malicious content stored within,” Wandera says.

In one example, Wandera provides called “CuteActress,” users rub their screen to reveal an image of a scantily-clad female. However, every time the user touches their screen, they unknowingly send an SMS message to a premium service, resulting charges on their mobile bill.

“This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we’ve seen,” Michael Covington, Wandera’s vice president of product strategy says in the report.

Latest Podcasts