A new dropper-as-a-service (DaaS) cybercrime operation named “SecuriDropper” has emerged. This strategy involves bypassing Android’s “Restricted Settings” feature to install malware on the device and gain access to accessibility services.
Restricted Settings is a security feature introduced in Android 13 that prevents sideloaded applications (APK files) installed from outside of Google Play from accessing powerful features such as accessibility settings and notification listeners.
These two permissions are often abused by malware, so this feature was intended to protect users by displaying a warning when these permissions are requested and blocking the request from being approved. .
(Threat Fabric)
Accessibility can be exploited to capture on-screen text, grant additional privileges, or perform navigation actions remotely. You can also use notification listeners to steal one-time passwords.
In August 2022, ThreatFabric reported that malware developers were already adjusting their tactics to this new countermeasure through a new dropper called “BugDrop.”
Based on that observation, the company created a proof-of-concept (PoC) dropper to demonstrate that a bypass is possible.
The trick is to use session-based installation APIs for malicious APK (Android package) files. This installs files in multiple steps involving a “base” package and various “split” data files.
When certain APIs are used instead of non-session methods, the Restricted Settings are bypassed and the user is not shown the Restricted Settings dialog, which prevents granting dangerous permissions to malware.
BleepingComputer confirms that security issues still exist in Android 14, and a new ThreatFabric report states that SecuriDropper follows the same technique to sideload malware onto target devices and grant access to dangerous subsystems. Masu.
This is the first known use of this technique in a cybercriminal campaign targeting Android users.
Working with Android Dropper-as-a-Service
SecuriDropper infects Android devices by masquerading as a legitimate app, often impersonating a Google app, Android update, video player, security app, or game, and then installs a second payload, which is some form of malware. Masu.
Dropper accomplishes this by securing access to “read and write external storage” and “install and remove packages” permissions during installation.
The second stage payload is installed through user deception and interface manipulation, prompting the user to click on the “Reinstall” button after displaying a fake error message regarding the installation of the dropper app.
ThreatFabric has observed SpyNote malware being distributed through SecuriDropper disguised as the Google Translate app.
In other cases, SecuriDropper was observed distributing the banking Ermac Trojan disguised as the Chrome browser, targeting hundreds of cryptocurrencies and e-banking applications.
threat fabric I will also report About the resurfacing of Zombinder, a DaaS operation first documented in December 2022. The service “glues” a malicious payload onto legitimate apps, infecting Android devices with information-stealing and banking Trojans.
Worryingly, recent advertisements for Zombinder highlight the same restrictive settings bypass strategy previously discussed, giving the payload permission to use accessibility settings during installation.
To protect themselves from such attacks, Android users should avoid downloading APK files from obscure sources or untrusted publishers.
You can review and revoke access to permissions for installed apps by visiting: Settings → Apps → [select an app] → Authority.
Updated 11/6: In response to a request for comment from BleepingComputer, a Google spokesperson sent the following statement:
Restricted settings add an extra layer of protection in addition to the user verification required for apps to access Android settings/permissions.
As a core protection, Android users always have control over what permissions are granted to apps.
Users are also protected by Google Play Protect. Google Play Protect can warn users and block apps that are known to exhibit malicious behavior on Android devices with Google Play services.
To keep you safe, we’re constantly reviewing attack methods and improving Android’s defenses against malware.