Fast Facts: 'RedDrop' Malware Goes After Most Popular OS

[This story was updated March 2, 2018.]

In the fast-paced IT industry, new statistics and data are released daily. Each week, Enterprise Mobility Exchange publishes Fast Facts, taking a look at interesting or noteworthy information impacting businesses.

In this week's edition of Fast Facts, we're deviating slightly to address the latest and greatest mobile malware on the market this week, named RedDrop and infiltrating Android app packages. As previously reported by Enterprise Mobility Exchange, Android is the least secure mobile operating system available to users, and is also the most widely used. Learn more about that data here.

The malware, dubbed “RedDrop,” contains Trojan files, a dropper allowing it to work in additional Android application packages (APK), spyware and screen-reading capabilities that send rate-inducing SMS messages to a premium service. All in all, it’s capable of critical data loss and data exfiltration (audio files, Wi-Fi detection, and more).

The strain was spotted by Wandera after a user clicked an ad on the popular Chinese search engine Baidu, according to Wandera’s comprehensive report. The user was then ushered to, the epicenter. Landing pages urged users to download one of 53 apps corrupted with RedDrop.

Of the many RedDrop apps, some of them deal in image editing, others in simple calculating. What’s more, some RedDrop apps are recreational – dabbling in space travel or world languages. The apps ostensibly work as intended, but malicious activity is being conducted beneath them.

To administer the multipronged attack, the RedDrop apps request invasive permissions. One such permission allows the malware to persist amid reboots. This places it in an advantageous position – able to communicate with command and control (C&C) servers, according to the report. At least seven APKs are installed in the background to allow for the lateral movement.

“We believe the group developed this complex CDN to obfuscate where the malware was served from, making it harder for security teams to detect the source of the threat,” the report said.

The security experts at Wandera call the variant “highly destructive” because of its deep-seated distribution network. Some of the RedDrop apps allow for user interaction, as well. That is, in some cases, when the screen is touched, the user sends the aforementioned SMS messages.

To aid its extortion, RedDrop reportedly collects information rapidly to transmit to Dropbox or Drive folders.

The experts that fleshed out this variant call it “one of the most sophisticated pieces of Android malware that we have seen in broad distribution.”

On the app-driven, spyware-inducing malware strain, Wandera’s Vice President of Product Strategy, Dr. Michael Covington, said, “This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent.”

Because of RedDrop’s refined functionality, it’s primed to inflict damage on users who freely give away app permissions or fail to protect devices from third-party app stores.

Users and organizations are asked to disable downloads from outside app stores – which are still an effective threat vector. Organizations in particular are asked to update their fleets to the latest version of Android, which has better threat-detection capabilities built into the OS, “Oreo.”

In response to Wandera's assessment of the RedDrop malware family, several cyber security experts have offered a rebuttal. Some have downplayed the severity of the variant.

In explaining how the strain combines spyware, Trojan and data exfiltration, The CyberWire said in its Daily Briefing that "if users take apps only from reputable sources and enable Google Play Protect, they're probably safe."

See Related: Fast Facts: Uh Oh...Smartphone Sales Are Declining

Have more Fast Facts? Share them with editor Jason Koestenblatt by emailing Get more news and industry analysis directly to your inbox from Enterprise Mobility Exchange by signing up for our newsletters at