A new cybercrime operation called ‘SecuriDropper’ has emerged, which uses a method to bypass the ‘Restricted Settings’ feature in Android to install malware on devices and obtain access to Accessibility Services. Restricted Settings is a security feature introduced with Android 13 that prevents side-loaded applications (APK files) installed from outside Google Play to access powerful features like the Accessibility settings and Notification Listener. These two permissions are commonly abused by malware, so the feature was intended to protect users by blocking the approval of requests by displaying a warning when these permissions are requested.
Accessibility can be abused to capture on-screen text, granting additional permissions, and performing navigation actions remotely, while the Notification Listener can be used to steal one-time passwords. In August 2022, ThreatFabric reported that malware developers were already adjusting their tactics to this new measure through a new dropper named ‘BugDrop’. Based on its observations, the firm created a proof-of-concept (PoC) dropper to showcase that the bypass was possible.
The trick used by SecuriDropper is to use the session-based installation API for the malicious APK files, which installs them in multiple steps, involving a “base” package and various “split” data files. When the particular API is used instead of the non-session method, Restricted Settings is bypassed, and users are not shown the ‘Restricted setting’ dialog that prevents them from granting the malware access to dangerous permissions. BleepingComputer has confirmed that the security issue is still present in Android 14, and, according to a new ThreatFabric report, SecuriDropper follows the same technique to side-load malware on target devices and give them access to risky sub-systems.
Droppers are a specific category of malware whose main purpose is to install a payload on an infected device. The use of droppers allows actors to separate the development and execution of an attack from the installation of the malware. Dropper-as-a-Service (DaaS) platforms have emerged as potent tools, allowing customers to pay to have their malware distributed to targets via droppers. The DaaS typically uses a network of websites to deliver droppers onto victims’ devices that, when run, install and execute the customer’s malware. The droppers could be disguised as legit or cracked applications that netizens are tricked into running.
This is the first observed case of this method being used in cybercrime operations targeting Android users. The use of droppers and the actors behind them are in a constant state of evolution as they strive to outwit evolving security measures. As Android continues to raise the bar with each iteration, cybercriminals adapt and innovate.
Android Dropper-as-a-Service operations
SecuriDropper is a new dropper-as-a-service (DaaS) cybercrime operation that infects Android devices posing as a legitimate app, most often impersonating a Google app, Android update, video player, security app, or a game, and then installing a second payload, which is some form of malware. The dropper achieves this by securing access to the “Read & Write External Storage” and “Install & Delete Packages” permissions upon installation. The second-stage payload is installed through user deception and interface manipulation, prompting users to click a “Reinstall” button after displaying bogus error messages about the dropper app’s installation.
SecuriDropper is designed to bypass new security restrictions imposed by Google and delivers the malware. The dropper is responsible for installing a secondary payload, typically malware (spyware or banking Trojans), onto the victim’s device. The dropper often disguises itself as a seemingly harmless app, and some of the samples observed in the wild are com.appd.instll.load (Google) and com.appd.instll.load (Google Chrome). What makes SecuriDropper stand out is the technical implementation of its installation procedure. The dropper uses the session-based installation API for the malicious APK files, which installs them in multiple steps, involving a “base” package and various “split” data files. When the particular API is used instead of the non-session method, Restricted Settings is bypassed, and users are not shown the ‘Restricted setting’ dialog that prevents them from granting the malware access to dangerous permissions.
Droppers are a specific category of malware whose main purpose is to install a payload on an infected device[4]. The use of droppers allows actors to separate the development and execution of an attack from the installation of the malware. Dropper-as-a-Service (DaaS) platforms have emerged as potent tools, allowing customers to pay to have their malware distributed to targets via droppers. The droppers could be disguised as legit or cracked applications that netizens are tricked into running.
SecuriDropper is the first observed case of this method being used in cybercrime operations targeting Android users. As Android continues to raise the bar with each iteration, cybercriminals adapt and innovate. Droppers and the actors behind them are in a constant state of evolution as they strive to outwit evolving security measures.
SecuriDropper is a dropper-as-a-service (DaaS) cybercrime operation that installs malware on Android devices by bypassing the “Restricted Settings” feature. The dropper achieves this by securing access to the “Read & Write External Storage” and “Install & Delete Packages” permissions upon installation. The second-stage payload is installed through user deception and interface manipulation, prompting users to click a “Reinstall” button after displaying bogus error messages about the dropper app’s installation.
ThreatFabric has seen SpyNote malware distributed through SecuriDropper disguised as a Google Translate app. In other cases, SecuriDropper was seen distributing banking Ermac trojans disguised as the Chrome browser, targeting hundreds of cryptocurrency and e-banking applications.
ThreatFabric also reports on the re-surfacing of Zombinder, a DaaS operation first documented in December 2022. This service “glues” malicious payloads with legitimate apps to infect Android devices with info-stealers and banking trojans. Zombinder’s recent advertisements highlight the same Restricted Settings bypass strategy previously discussed, so the payloads are granted permission to use Accessibility settings upon installation.
To protect against attacks, Android users should avoid downloading APK files from unknown or untrusted sources[1]. Additionally, users can review and revoke access to permissions for any installed app by following these steps:
- Open the Settings app on your Android device.
- Tap on “Apps” or “Apps and Notifications” menu.
- Review the list of apps that appear for the one you want to check.
- Tap “All Apps” or “See All” at the top if your app isn’t listed.
- Tap “Permissions”.
By reviewing app permissions, users can see what data an app uses and why it accesses that data. This can help users control the data they share with apps and minimize the amount of data an app accesses. It is important to note that permissions can be granted or revoked at runtime, so it is important to test your app under various permission scenarios to ensure it functions correctly.
In summary, to protect against attacks, Android users should avoid downloading APK files from unknown or untrusted sources and review app permissions to control the data they share with apps. To review app permissions, users can follow the steps outlined above.
Sources :
https://www.bleepingcomputer.com/news/security/cybercrime-service-bypasses-android-security-to-install-malware/
https://thehackernews.com/2023/11/securidropper-new-android-dropper-as.html?m=1
https://www.theregister.com/2021/09/02/malware_droppers_sophos/
https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions
https://malwaretips.com/threads/cybercrime-service-bypasses-android-security-to-install-malware.126971/
https://www.paubox.com/blog/what-is-dropper-as-a-service
https://www.androidcentral.com/how-review-app-permissions-your-android-phone
https://www.privateinternetaccess.com/blog/how-to-review-permissions-given-to-your-mobile-apps/
https://support.google.com/googleplay/answer/9431959?hl=en
https://developer.android.com/training/permissions/usage-notes
https://www.reddit.com/r/GooglePixel/comments/zzw4dv/getting_the_same_notification_daily_to_review_the/
https://developer.android.com/guide/topics/permissions/overview
https://isp.page/news/securidropper-new-android-dropper-as-a-service-bypasses-googles-defenses/
https://www.tomsguide.com/news/new-android-malware-dropper-sneaks-past-google-protect-yourself-now