S0326 RedDrop
RedDrop is an Android malware family that exfiltrates sensitive data from devices. 1
| Item | Value |
|---|---|
| ID | S0326 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 24 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | RedDrop uses HTTP requests for C2 communication.1 |
| mobile | T1429 | Audio Capture | RedDrop captures live recordings of the device’s surroundings.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | RedDrop uses standard HTTP for exfiltration.1 |
| mobile | T1643 | Generate Traffic from Victim | RedDrop tricks the user into sending SMS messages to premium services and then deletes those messages.1 |
| mobile | T1544 | Ingress Tool Transfer | RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.1 |
| mobile | T1426 | System Information Discovery | RedDrop exfiltrates details of the victim device operating system and manufacturer.1 |
| mobile | T1422 | System Network Configuration Discovery | RedDrop collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.1 |