Skip to content

S0326 RedDrop

RedDrop is an Android malware family that exfiltrates sensitive data from devices. 1

Item Value
ID S0326
Associated Names
Version 1.2
Created 17 October 2018
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols RedDrop uses HTTP requests for C2 communication.1
mobile T1429 Audio Capture RedDrop captures live recordings of the device’s surroundings.1
mobile T1646 Exfiltration Over C2 Channel RedDrop uses standard HTTP for exfiltration.1
mobile T1643 Generate Traffic from Victim RedDrop tricks the user into sending SMS messages to premium services and then deletes those messages.1
mobile T1544 Ingress Tool Transfer RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.1
mobile T1426 System Information Discovery RedDrop exfiltrates details of the victim device operating system and manufacturer.1
mobile T1422 System Network Configuration Discovery RedDrop collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.1