NEWS  Security  November 7, 2023  Reading time: 2 Minute(s)

Max (RS editor)

In the ever-evolving landscape of cybercrime, a new player has entered the field, and it goes by the name of 'SecuriDropper.' This nefarious dropper-as-a-service (DaaS) operation has unveiled a devious method to bypass Android's 'Restricted Settings' feature, enabling it to install malware on unsuspecting devices and gain access to Accessibility Services.

Android 13 introduced the 'Restricted Settings' feature, designed to thwart side-loaded applications, often delivered via APK files from sources outside of Google Play, from accessing sensitive features such as Accessibility settings and Notification Listener. These permissions are often abused by malicious software, prompting the need for enhanced user protection.

SecuriDropper's method is a cunning workaround, sidestepping the 'Restricted Settings' barrier. This operation employs a session-based installation API for the malicious APK files, dividing the installation into multiple steps, which include a "base" package and various "split" data files. By utilizing this particular API, SecuriDropper evades Restricted Settings, ensuring that users are not presented with the usual 'Restricted setting' dialog that warns against granting the malware access to dangerous permissions.

Despite the introduction of Android 14, it's unsettling to learn that this security flaw remains unaddressed. A recent report from ThreatFabric affirms that SecuriDropper continues to employ this technique, allowing it to sneakily deliver malware to target devices and gain access to sensitive subsystems.

This marks the first instance of such a method being used in cybercrime operations targeting Android users. SecuriDropper infiltrates Android devices by disguising itself as a legitimate app, often masquerading as a Google app, Android update, video player, security app, or even a game. It then proceeds to install a second-stage payload, typically a form of malware, by acquiring permissions for "Read & Write External Storage" and "Install & Delete Packages" upon installation.

The second-stage payload installation involves deceiving users through interface manipulation, coercing them into clicking a "Reinstall" button after displaying fake error messages about the initial dropper app's installation. As per ThreatFabric's observations, SpyNote malware has been distributed through SecuriDropper, camouflaged as a Google Translate app. Moreover, SecuriDropper has been spotted distributing banking Ermac trojans under the guise of the Chrome browser, with a specific focus on hundreds of cryptocurrency and e-banking applications.

In an alarming turn of events, ThreatFabric has also noted the resurgence of Zombinder, another DaaS operation first documented in December 2022. This service ingeniously combines malicious payloads with legitimate apps, effectively infecting Android devices with information stealers and banking trojans. What's concerning is that Zombinder's recent advertisements highlight the same Restricted Settings bypass strategy, ensuring that these payloads gain access to Accessibility settings upon installation.

To protect themselves against these insidious attacks, Android users are strongly advised to avoid downloading APK files from unfamiliar or dubious sources. Access to app permissions can be reviewed and revoked by navigating to Settings → Apps → [select an app] → Permissions. Remaining vigilant and cautious when interacting with app installations is key in staying safe in the face of emerging cyber threats like SecuriDropper and its ilk.

(Cover Image by storyset on Freepik)