S0326: RedDrop

RedDrop is an Android malware family described by ATT&CK as exfiltrating sensitive data from devices. Its ATT&CK relationships make it material beyond a single infected phone: it is associated with device and network discovery, Wi-Fi discovery, audio capture, web-protocol communications, tool transfer, victim-generated traffic, and exfiltration over a command-and-control channel. For leaders, the practical issue is whether mobile devices that access corporate data are governed, monitored, and containable when an app behaves like spyware or a data-exfiltration client.

Executive priority

Treat this as a mobile data-loss and privacy-readiness scenario. Priority questions are: which Android devices can access business email, files, identity apps, or sensitive conversations; whether mobile management and app governance can identify risky permissions and unauthorized apps; whether the SOC can see mobile network egress; and whether incident response has a process for isolating, preserving, and replacing affected devices. This object supports investment decisions around mobile device management, mobile threat detection, acceptable-use enforcement, and evidence needed for compliance investigations involving sensitive data exposure.

Technical view

ATT&CK provides no dedicated detection text for RedDrop, so defenders should validate coverage around the related behaviors rather than relying on a named-malware signature. For Android, review visibility into application inventory, requested and granted permissions, microphone access, SMS or traffic-generation behavior where available, network connectivity checks, Wi-Fi and system information access, downloads or transferred payloads, and outbound HTTP/HTTPS communications used for command-and-control or exfiltration. IR teams should be prepared to correlate device state, installed applications, permissions, network destinations, and data-access logs from corporate services to determine whether sensitive data may have left the device.

Likely telemetry

Android device inventory and ownership context from mobile device management or enterprise mobility tooling
Installed application inventory, package metadata, source of installation, and app reputation where available
Android permission grants, especially microphone access and other permissions relevant to data collection or generated traffic
Mobile network telemetry for outbound HTTP/HTTPS connections, unusual destinations, repeated connectivity checks, or high-volume egress
Wi-Fi and network configuration access indicators where mobile security tooling exposes them

Detection direction

Build detections around behavior clusters mapped to the relationships: discovery of system/network/Wi-Fi information plus web-protocol communications plus exfiltration-like egress is more useful than any single weak signal.
Validate whether Android telemetry can actually expose permission use and app behavior; many environments only have inventory and network logs, which may miss microphone access or local discovery activity.
Tune network analytics carefully because HTTP/HTTPS is normal mobile traffic; prioritize unknown apps, newly installed apps, unusual destinations, repeated beacon-like traffic, and traffic from unmanaged or noncompliant devices.
Correlate mobile alerts with identity and SaaS logs to determine business relevance: a personal device with no corporate access carries different incident priority than a managed device used for privileged or regulated workflows.
Include false-positive review for legitimate apps that check connectivity, collect device information, or use microphone permissions, and require context such as app trust, installation source, permission necessity, and destination reputation.

Mitigation priorities

Enforce mobile device management or equivalent governance for Android devices accessing corporate resources, including baseline compliance, encryption, screen lock, and OS version requirements.
Restrict corporate access from unmanaged or noncompliant Android devices, especially for sensitive mail, files, identity administration, and regulated data workflows.
Apply app control and installation-source policies to reduce exposure to untrusted applications, and review apps requesting sensitive permissions such as microphone access or SMS-related capabilities.
Use mobile threat defense and network monitoring where appropriate to identify suspicious app behavior, web-protocol command-and-control patterns, and exfiltration-like traffic.
Prepare an incident response playbook for mobile data exposure: isolate or revoke device access, preserve relevant evidence, reset credentials or tokens if needed, and assess corporate data accessed from the device.

Analyst notes and limits

This take is based only on ATT&CK S0326 RedDrop fields and its listed relationships. The object is in the mobile ATT&CK domain, platform Android, with no tactics specified and no official detection guidance. The relationship set is useful for defensive planning because it links RedDrop to discovery, audio capture, web-protocol communication, ingress tool transfer, traffic generation, and exfiltration over C2, but local device, network, identity, and SaaS evidence is required to determine scope or business impact.

ATT&CK does not provide RedDrop-specific detection logic, active exploitation status, attribution, aliases, or environment-specific indicators in the supplied fields. The external reference is an archived 2018 public report cited by ATT&CK. Do not infer current prevalence, customer exposure, or guaranteed detectability from this object alone.

Official MITRE ATT&CK definition

RedDrop

RedDrop is an Android malware family that exfiltrates sensitive data from devices. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 9 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1422.001	Internet Connection Discovery Sub-technique	RedDrop collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.CitationWandera-RedDrop
Mobile	T1643	Generate Traffic from Victim	RedDrop tricks the user into sending SMS messages to premium services and then deletes those messages.CitationWandera-RedDrop
Mobile	T1437.001	Web Protocols Sub-technique	RedDrop uses HTTP requests for C2 communication.CitationWandera-RedDrop
Mobile	T1646	Exfiltration Over C2 Channel	RedDrop uses standard HTTP for exfiltration.CitationWandera-RedDrop
Mobile	T1544	Ingress Tool Transfer	RedDrop uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. RedDrop also downloads additional components (APKs, JAR files) from different C2 servers.CitationWandera-RedDrop
Mobile	T1422	System Network Configuration Discovery	RedDrop collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.CitationWandera-RedDrop
Mobile	T1426	System Information Discovery	RedDrop exfiltrates details of the victim device operating system and manufacturer.CitationWandera-RedDrop
Mobile	T1422.002	Wi-Fi Discovery Sub-technique	RedDrop collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.CitationWandera-RedDrop
Mobile	T1429	Audio Capture	RedDrop captures live recordings of the device's surroundings.CitationWandera-RedDrop

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Oct 17, 2018, 00:14 UTC (UTC+00:00)
Modified: Nov 17, 2024, 14:24 UTC (UTC+00:00)
Raw hash: 7ea90e86d199abaf...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Nov 17, 2024, 14:24 UTC (UTC+00:00)	Current bundle	`7ea90e86d199…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Wandera-RedDrop

Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.
Open source URL
[2]
RedDrop

(Citation: Wandera-RedDrop)
[3]
mitre-attack S0326
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams