New SecuriDropper Malware Bypasses Android 13 Restrictions, Disguised as Legitimate Applications

We Keep you Connected

New SecuriDropper Malware Bypasses Android 13 Restrictions, Disguised as Legitimate Applications

New SecuriDropper Malware Bypasses Android 13 Restrictions, Disguised as Legitimate Applications
Your email has been sent
A new malware is bypassing an Android 13 security measure that restricts permissions to apps downloaded out of the legitimate Google Play Store.
A new report from ThreatFabric, a fraud protection company, exposes SecuriDropper malware, which is capable of bypassing Android 13 restricted settings. The malware makes Android consider the installation as coming from the Google Play Store, though in reality it isn’t.
It’s highly recommended for organizations to use Mobile Device Management solutions and methods to enable more control on employees’ Android devices and to restrict installing apps on their devices by using a list of approved applications and forbidding any other.
Jump to:
Android 13 introduced a new security feature called restricted settings. This new feature prevents sideloaded applications (i.e., downloaded out of the Google Play Store) from directly requesting accessibility settings and notification listener access — two features that are often abused by malware according to ThreatFabric’s researchers.
On Android systems, applications downloaded from the legitimate Google Play Store aren’t subject to the same process as those not originating from it. The main reason why is that applications that have made it successfully to the Google Play Store have provided more information and visibility and have passed different security tests to ensure they don’t contain malware functionalities. Therefore, applications from the Google Play Store aren’t concerned by the restricted settings feature.
Applications downloaded from the Play Google Store use a specific installation method — a “session-based” package installer — that isn’t normally used by sideloaded applications.
The SecuriDropper malware uses the same installation method as legitimate software from the legitimate Google Play Store. After being executed by the unsuspecting user, the malware requests two key permissions: Read & Write External Storage and Install & Delete Packages.
Once permissions are given, the malware checks if it already exists on the device; if it does, the malware runs, and if it doesn’t, the malware shows the user a message telling them something went wrong and the user needs to click a reinstall button. The message is different based on the device’s location and language configured.
When done, the session-based installation starts, and the user is asked for permission to enable the Accessibility Service, which becomes possible due to the bypass of the restricted settings feature (Figure A).
Figure A
The malware has been observed disguising itself as various Android applications such as Google Apps or Android updates (27%), video players (25%), security applications (15%) or games (12%), followed by email clients, adult content, music players and other apps (Figure B).
Figure B
Any kind of malicious code could be dropped and installed by SecuriDropper, as the malware’s final goal is to install other malware on infected devices. ThreatFabric observed two campaigns using SecuriDropper.
The first one is an attack campaign delivering SpyNote, a malware with remote administration tool features. The malicious payload was being distributed through phishing websites and deployed by SecuriDropper. The SpyNote malware, which is able to capture sensitive information on the device, as well as steal SMS and call logs and take screenshots, absolutely needs permissions that would be unavailable due to Android’s restricted settings. Its installation via SecuriDropper enables the SpyNote malware to keep infecting devices, even on Android 13, without needing to change its code.
In another attack campaign, SecuriDropper was observed installing the ERMAC banking trojan. The malware was deployed via Discord, a communication tool previously used primarily by gamers but increasingly utilized by other communities, including corporate entities.
Different malware families will use this technique in the future. One service that’s already using this technique is Zombinder.
As reported by ThreatFabric, the DarkNet platform Zombinder started advertising for its new version that bypasses Android 13 restricted settings. The Zombinder service allows an attacker to successfully bind a legitimate application with malware. When the infection is done, the legitimate application runs normally, while the malware is being executed in the background, unnoticed.
Zombinder also sells builders with the Android 13 restrictions bypass capability. The builders from Zombinder are software capable of dropping malware on an infected system (aka dropper), sold at $1,000 USD.
As written by ThreatFabric, “the emergence of services like Zombinder are indications of a booming market in cybercrime, offering builders and tools for evading Android 13’s defenses. It is a testament to the resourcefulness of those seeking to exploit security vulnerabilities for their gain.”
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
New SecuriDropper Malware Bypasses Android 13 Restrictions, Disguised as Legitimate Applications
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
Because vendors supply the organization with critical supplies, goods, products, services and maintenance, and because these components possess a direct material impact on the organization’s success, all organization employees and representatives are subject to the vendor management and selection policy. The policy applies to all organization requests for proposals, bids, contracts, purchases and orders of …
Unlike consumer-level selling, completing B2B business transactions, especially when technological innovation is involved, often requires the cultivation of an intricate and complicated customer relationship. Merely having the best product or service is not enough. Someone must show the customer or client how that product or service will solve both their current and future problems. To …
Software is the lifeblood of businesses today. Tech has come out to be a solid differentiator, with faster product delivery being a make-or-break moment for any organization. TechRepublic Premium presents this quick glossary of key concepts to help your understanding. From the glossary: Integrated development environment An IDE is a one-stop software application for developers …
Python is a widely used general-purpose interpreted programming language. It’s a high-level language that can support multiple programming paradigms, including object-oriented, imperative, functional programming and procedural styles. Because of this language versatility, the skills, specializations and experience of Python developers tend to vary considerably. This hiring kit from TechRepublic Premium outlines the skills, experience and …
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE