SecuriDropper: New Android Dropper-as-a-Service Bypasses Google's Defenses

New Android Dropper-as-a-Service Bypasses Google's Defenses

Cybersecurity researchers have shed light on a new dropper-as-a-service (DaaS) for Android visited SecuriDropper that bypasses new security restrictions imposed by Google and copies the malware.

Dropper malware on Android is designed to functioning as a conduit to install a payload on a compromised diagram, making it a lucrative business model for threat actors, who can advertise the capabilities to other criminal groups.

What's more, behaviors so also allows adversaries to separate the development and execution of an conflict from the installation of the malware.

"Droppers and the actors leisurely them are in a constant state of evolution as they strive to outwit undulating security measures," Dutch cybersecurity firm ThreatFabric said in a narrate shared with The Hacker News.

One such security measure introduced by Google with Android 13 is what's visited the Restricted Settings, which prevents sideloaded applications from safeguarding Accessibility and Notification Listener permissions, which are often abused by banking trojans.

SecuriDropper aims to get throughout this guardrail without getting detected, with the dropper often disguised as a seemingly protected app. Some of the samples observed in the wild are as follows -

com.appd.instll.load (Google)
com.appd.instll.load (Google Chrome)

"What invents SecuriDropper stand out is the technical implementation of its installation procedure," ThreatFabric explained.

"Unlike its predecessors, this family uses a different Android API to install the new payload, mimicking the process used by marketplaces to install new applications."

Specifically, this entails requesting for permissions to read and write data to external storage (READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE) as well as install and delete packages (REQUEST_INSTALL_PACKAGES and DELETE_PACKAGES).

In the uphold stage, the installation of the malicious payload is facilitated by urging the victims to click on a "Reinstall" button on the app to settle a purported installation error.

ThreatFabric said it has consider it Android banking trojans such as SpyNote and ERMAC distributed via SecuriDropper on spurious websites and third-party platforms like Discord.

Another dropper service that has also been spotted offering a inequity Restricted Settings bypass is Zombinder, an APK binding tool that was suspected to be shut down backward this year. It's currently not clear if there is any connection between the two tools.

"As Android leftovers to raise the bar with each iteration, cybercriminals, too, adapt and innovate," the commerce said. "Dropper-as-a-Service (DaaS) platforms have emerged as potent tools, allowing malicious actors to infiltrate devices to distribute spyware and banking trojans."

Update

When assembled for comment on the latest findings, a Google spokesperson community the below statement with The Hacker News -

Restricted settings add an fabulous layer of protection on top of the user reinforce that is required for apps to access Android settings/permissions. As a core protection, Android users are always in control of which permissions they allow to an app. Users are also protected by Google Play Protect , which can warn users or discontinued apps known to exhibit malicious behavior on Android devices with Google Play Militaries. We are constantly reviewing attack methods and improving Android's defenses alongside malware to help keep users safe.