‘SecuriDropper’ Exploits Android Security Vulnerability, Bypassing Restricted Settings to Install Malware

A novel cybercrime operation named ‘SecuriDropper’ has surfaced, employing a technique to circumvent the ‘Restricted Settings’ feature in Android, enabling the installation of malware on devices and unauthorized access to Accessibility Services. ‘Restricted Settings,’ introduced with Android 13, aims to enhance security by preventing side-loaded applications (APK files) from accessing potent features like Accessibility settings and Notification Listener.

These permissions are often exploited by malware, prompting the implementation of the feature to protect users through warning messages when such permissions are requested. Accessibility can be abused to capture on-screen text, acquire additional permissions, and remotely perform navigation actions. On the other hand, Notification Listener can be utilized to pilfer one-time passwords.

Earlier this year, ThreatFabric reported on malware developers adapting to this security measure with a dropper named ‘BugDrop.’ Through observations, the firm created a proof-of-concept (PoC) dropper, showcasing the successful bypass of ‘Restricted Settings.’

The technique involves utilizing the session-based installation API for malicious APK files, installing them in multiple steps with a “base” package and various “split” data files. By employing this API instead of the non-session method, ‘Restricted Settings’ is bypassed, and users are not presented with the warning dialog, allowing malware access to critical permissions.

According to a recent report, SecuriDropper utilizes the same method to sideload malware on target devices, granting access to risky subsystems. This marks the first observed instance of such a method being employed in cybercrime operations targeting Android users.

SecuriDropper disguises itself as a legitimate app, often posing as a Google app, Android update, video player, security app, or a game. It proceeds to install a second payload, typically some form of malware, after securing access to “Read & Write External Storage” and “Install & Delete Packages” permissions upon installation.

The second-stage payload is deployed through deceptive user interfaces, enticing users to click a “Reinstall” button following fake error messages about the dropper app’s installation. ThreatFabric has identified instances of SpyNote malware distributed through SecuriDropper, masquerading as a Google Translate app. Additionally, banking Ermac trojans were distributed, disguised as the Chrome browser, targeting numerous cryptocurrency and e-banking applications.

The report also highlights the resurgence of Zombinder, a dropper-as-a-service (DaaS) operation documented in December 2022. Zombinder merges malicious payloads with legitimate apps to infect Android devices with info-stealers and banking trojans. Notably, Zombinder’s recent advertisements emphasize the same ‘Restricted Settings’ bypass strategy, ensuring the granted permission to use Accessibility settings during installation.

To mitigate these threats, Android users are advised to refrain from downloading APK files from unfamiliar or untrusted sources. Additionally, regular reviews and revocation of app permissions can be conducted through Settings → Apps → [select an app] → Permissions.

To safeguard against these emerging threats, Android users are strongly advised to exercise caution when downloading APK files, especially from unfamiliar sources. Furthermore, regularly reviewing and revoking permissions for installed apps in the device settings can provide an additional layer of protection against potential vulnerabilities. In this rapidly evolving landscape, staying informed and adopting proactive security measures is paramount to mitigating the risks posed by cyber threats.