{
	"id": "329a7235-ca9f-44a9-ab03-5d0a24bc32b1",
	"created_at": "2026-04-06T00:20:18.848546Z",
	"updated_at": "2026-04-10T03:20:37.96273Z",
	"deleted_at": null,
	"sha1_hash": "cd9de5df6b21ff12f3fe92feef6526f14b2a507d",
	"title": "RedDrop: the blackmailing mobile malware family lurking in app stores",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2347119,
	"plain_text": "RedDrop: the blackmailing mobile malware family lurking in app\r\nstores\r\nBy Nell Campbell\r\nArchived: 2026-04-05 21:54:01 UTC\r\nSecurity | February 27, 2018 at 1:52 pm by\r\nAs soon as the threat research community collectively gets to grips with a new malware variant, another more\r\naggressive strain rears its ugly head. The latest zero-day threat to be discovered by Wandera’s mobile threat\r\nresearch team is RedDrop, a family of mobile malware inflicting financial cost and critical data loss on infected\r\ndevices. The most worrying part? The 53 malware-ridden apps are exfiltrating sensitive data – including ambient\r\naudio recordings – and dumping it in the attackers’ Dropbox accounts to prepare for further attacks and extortion\r\npurposes.\r\nThe infection was first unearthed at several global consultancy firms, when Wandera’s machine intelligence\r\nengine – MI:RIAM – blocked a suspicious app download. Since then, Wandera’s threat research team has\r\ninvestigated the app and its hidden functionality in more detail to gain a clearer understanding of the previously\r\nundiscovered mobile malware family which we have termed RedDrop.\r\nZero-day threat previously unknown within the mobile security community\r\nGroup of at least 50 functioning apps containing the sophisticated RedDrop malware\r\nApps are distributed from a complex network of 4,000+ domains registered to the same underground group\r\nOnce the app is opened, at least seven further APKs are silently downloaded, unlocking new malicious\r\nfunctionality\r\nWhen the user interacts with the app, each interaction secretly triggers the sending of an SMS to a\r\npremium service, which is then instantly deleted before it can be detected\r\nThese additional APKs include spyware-like components, harvesting sensitive data, including passively\r\nrecording the device’s audio, photos, contacts, files and more\r\nRedDrop then exfiltrates this data, uploading it straight into remote file storage systems for use in extortion\r\nand blackmailing purposes\r\nRedDrop: Wandera’s research findings\r\nhttps://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/\r\nPage 1 of 9\n\nA total of 53 new malicious applications have so far been discovered to be harbouring this malware variant. The\r\napplications range from practical tools like image editors and calculators, to more recreational apps covering\r\ntopics like space exploration or learning new languages. Each one is intricately built to provide entertaining or\r\nuseful functionality – to act as a seemingly innocent guise for the malicious content stored within.\r\nApps within the RedDrop family request invasive permissions enabling the attack to be conducted without\r\nrequesting further interaction from the user. One of the more destructive permissions allows the malware to be\r\npersistent between reboots. Granting it the ability to constantly communicate with command and control (C\u0026C)\r\nservers, permitting the covert activation of its malicious functionality.\r\n1. The complex distribution network\r\nWandera’s machine learning detections first uncovered one of the RedDrop apps when a user clicked on an ad\r\ndisplaying on popular Chinese search engine Baidu. The user was then taken to huxiawang.cn, the primary\r\ndistribution site for the attack. The landing pages that follow host various content to encourage and incite the user\r\nto download one of the 53 apps within the RedDrop family of malicious apps.\r\nRedDrop’s creators utilise an intricate content distribution network (CDN) of over 4,000 domains to distribute the\r\napplications serving the malware. In Wandera tests, upon clicking on huxiawang.cn, users were taken through a\r\ncomplex series of network redirects in an attempt to circumvent and evade malware detection techniques, prior to\r\nbeing presented with the download.\r\nWe believe the group developed this complex CDN to obfuscate where the malware was served from,\r\nmaking it harder for security teams to detect the source of the threat.  Senior Security Researcher at\r\nWandera                               \r\n2. The malicious functionality\r\nRedDrop is highly destructive due to the sophistication of its distribution network and the powerful hybrid\r\nfunctionality which delivers multiple malicious actions in one package. Through static and dynamic analysis of\r\nhttps://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/\r\nPage 2 of 9\n\nthe RedDrop drive-by, Wandera’s threat research team uncovered a mechanism whereby 7+ additional APKs are\r\nsilently installed onto the device from the C\u0026C server. These additional APKs contain the following functionality:\r\nA) Trojan\r\nWhen the RedDrop apps are unzipped (static analysis) they’re found to contain malicious embedded files, which\r\nare then compiled in order to initiate the malicious functionality. These files are located in the assets folder of the\r\napplication shown below.\r\nContents of RedDrop malware application package (APK)\r\nB) Dropper\r\nImmediately after installation, the malware downloads additional components (APKs, JAR files) from different\r\nC\u0026C servers, storing them dynamically into the device’s memory. This technique allows the attacker to stealthily\r\nexecute additional malicious APKs without having to embed them straight into the initial sample. This can be seen\r\nfrom both the network communication and the device logs.\r\nOptimizing malicious components for execution\r\nhttps://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/\r\nPage 3 of 9\n\nLoading Dropped APKs\r\nC) SMS fraud and Spyware\r\nApps within the RedDrop family each provide clear functionality to the user, which requires the victim to interact\r\nwith their mobile device. In one such sample, each time the screen is touched within the app, the user is\r\nunwittingly sending an SMS message to a premium service incurring substantial charges. Crucially, the malware\r\nis able to delete these messages almost instantly, meaning the evidence of these premium SMS is destroyed.\r\nPayment service through SMS method\r\nPerhaps the most perverse aspect of the RedDrop malware family, is its invasive set of spyware tools. Firstly, the\r\nmalicious application is spying to identify when the user is present in order to initiate the rest of the malicious\r\nfunctionality. Then, the app records and exfiltrates data to a variety of servers and cloud storage services.\r\n3) Critical data loss\r\nWhen all of the functionality is combined, RedDrop aims to extract valuable and damaging data from the victim.\r\nAs soon as the information is collected, it is transmitted back to the attackers’ personal Dropbox or Drive folders\r\nto be used in their extortion schemes and as the foundation to launch further attacks.\r\nhttps://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/\r\nPage 4 of 9\n\nData stolen includes:\r\n1. Locally saved files – photos/contacts/images\r\n2. Live recordings of the device’s surroundings\r\n3. Device Related Info (IMEI, IMSI, etc)\r\n4. SIM Related Info (MNC, MCC, etc)\r\n5. Application data\r\n6. Nearby WiFi Networks\r\nWandera revealed different types of information exfiltration by the RedDrop malware family, including encrypted\r\nand unencrypted data, encoded data and TCP streams.\r\nThe data exfiltrated provides the attacker with more device-centric information. Ranging from whether the device\r\nis on Wi-Fi or Cellular, the operating system and manufacturer details of the device up to checking if the device is\r\nalready rooted or not. Sim card related information (ICCID) also is being transmitted.\r\nIn more detail, the parameters of the request are:\r\nnetConnectionType\r\nosVersion\r\nimei\r\nappId\r\nos_ui_version\r\nourVersion\r\npackageName\r\nchannelId\r\niccid\r\nisRoot\r\ndeviceManufacturer\r\ntype\r\ndeviceNo\r\nmac\r\ndeviceType\r\nimsi\r\nExample of exfiltrated data transfer\r\nBelow we can see how data related to the SMS payments and internal network details are being exfiltrated. The\r\nencoded payload is visible on the bottom right part of the screenshot:\r\nhttps://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/\r\nPage 5 of 9\n\nCase study: CuteActress\r\nZero-day mobile malware: A RedDrop application in the wild\r\nhttps://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/\r\nPage 6 of 9\n\nhttps://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/\r\nPage 7 of 9\n\nThe CuteActress app ostensibly functions as an adult-themed game in which the user must rub the screen in order\r\nto reveal a seductively-dressed female. Each time the screen is ‘rubbed’, the user is unknowingly sending an SMS\r\nmessage to a premium service. After installation the app dynamically loads 7 additional APKs with trojan,\r\ndropper, spyware and data exfiltration functionality, like the rest of the apps in the RedDrop mobile malware\r\nfamily.\r\nConclusion\r\nRedDrop is one of the most sophisticated pieces of Android malware that we have seen in broad distribution. Not\r\nonly does the attacker utilize a wide range of functioning malicious applications to entice the victim, they’ve also\r\nperfected every tiny detail to ensure their actions are difficult to trace. From the complex distribution network of\r\nover 4,000+ domains and concealed APKs to SMS functionality and the data exfiltration – the group that built this\r\nmalware have planned it exceedingly well.\r\nIn order to protect themselves from these types of threats, individuals and organizations with vulnerable devices\r\nshould disable downloads from third-party app stores, unless absolutely necessary for business functionality.\r\nWandera research shows that more than 20% of corporate Android devices allow third-party installations, so a\r\nsignificant number of devices are vulnerable to this threat.\r\nIt’s also worth noting that Oreo, Google’s latest OS version, makes it easier for users to detect apps with invasive\r\npermissions as they receive prompts when an app is attempting to gain escalated privileges. However, according\r\nto Google, almost half of Android devices are still running OS versions that predate Marshmallow – making it\r\nsimple for RedDrop to bypass user scrutiny and be installed on devices. Organizations are strongly recommended\r\nto update their fleets to the latest version of Android to minimize their exposure to this new malware family.\r\nThis multifaceted hybrid attack is entirely unique. The malicious actor\r\ncleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent.\r\nThis is one of the more persistent malware variants we’ve seen. Dr Michael Covington, VP of Product\r\nStrategy at Wandera\r\nIt’s likely that RedDrop will continue to be employed by attackers even after these apps are flagged as malicious.\r\nAs was seen in the case of SLocker last year, attackers are smart in creating variants of known malware in an\r\nattempt to bypass traditional security measures. We expect the same to be true of RedDrop in the coming months –\r\nhttps://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/\r\nPage 8 of 9\n\nand much like with SLocker, future variants will be detected by MI:RIAM, the security intelligence engine\r\npowering Wandera’s threat detection.\r\nWandera’s threat research team will continue to investigate RedDrop variants and will update you on their\r\nfindings.\r\nGeneral app safety tips\r\nChange your device settings to disallow third-party downloads\r\nAvoid rooting your device\r\nCheck the permissions apps are requesting\r\nDeploy in a security solution that can monitor and block C\u0026C traffic at the device level\r\nLearn more about threat prevention\r\nYou might hear about the dangerous leaks and mobile attacks that make the news. But your organization might\r\njust be vulnerable to other threats right now.\r\nFIND OUT MORE\r\nSource: https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/\r\nhttps://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
	],
	"report_names": [
		"reddrop-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434818,
	"ts_updated_at": 1775791237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd9de5df6b21ff12f3fe92feef6526f14b2a507d.pdf",
		"text": "https://archive.orkl.eu/cd9de5df6b21ff12f3fe92feef6526f14b2a507d.txt",
		"img": "https://archive.orkl.eu/cd9de5df6b21ff12f3fe92feef6526f14b2a507d.jpg"
	}
}