Cybercrime Service Bypasses Android Security to Install Malware

Cyber Security Threat Summary:
Researchers from ThreatFabric have identified a new dropper-as-a-service (DaaS) operation which they have named SecuriDropper. The service uses a method to bypass the “Restricted Settings” feature in Android to install malware on devices and obtain access to Accessibility Services.

Restricted Settings is a security feature first introduced in Android 13. It prevents the side-loading of applications (APK files) installed outside of the official Google Play store from accessing Accessibility settings and Notification Listener.

These two permissions are often abused by malware, and the Restricted settings feature requires permission by the user by displaying a warning when these permissions are requested. Accessibility can be abused to capture on-screen text, granting additional permissions, and performing navigation actions remotely, while the Notification Listener can be used to steal one-time passwords.

Security Officer Comments:
Back in August, researchers from ThreatFabric discovered threat actors developing a proof-of-concept (PoC) dropper to bypass the Restricted Settings feature. The PoC uses a session-based installation API for the malicious APK file, which installs them in multiple steps, a “base” package, and various “split” data files. By using this API for installation, threat actors can bypass Restricted Settings, and users are never shown the dialog that prevents them from granting malware access to dangerous permissions.

While initially discovered in Android 13, the security issue is still present in Android 14. This is the first observed case of this method being used in cybercrime operations targeting Android users.

According to ThreatFabric, “SecuriDropper infects Android devices posing as a legitimate app, most often impersonating a Google app, Android update, video player, security app, or a game, and then installing a second payload, which is some form of malware”.

Notably, ThreatFabric observed SpyNote malware being distributed with this technique disguised as a Google Translate app. They have also seen Ermac trojans disguised as the Chrome browser, targeting hundreds of cryptocurrency and e-banking applications.

This method may deliver various forms of malware designed to steal data, credentials, cryptocurrency wallets, and more.

Suggested Correction(s):
To protect against these attacks, Android users should avoid downloading APK files from obscure sources or publishers they don't know and trust. While not perfect, both Google’s Play Store, and Apple’s Store do a decent job of removing malicious applications. It is never advised to download APK files or previous update versions from unofficial sources.

Link(s):
https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions