A new malware is bypassing an Android 13 security measure that restricts permissions of apps downloaded from the legitimate Google Play Store.

A new report from fraud protection company ThreatFabric reveals this SecuriDropper malware, which is able to bypass Android 13 restricted settings. The malware makes Android believe the installation comes from the Google Play Store, although it actually does not.

Organizations are highly recommended to use mobile device management solutions and methods to enable more control over employees’ Android devices and restrict them from installing apps on their devices by using a list of approved apps and restricting any others. Is.

jump to:

What are the restricted settings of Android 13?

Android 13 introduced a new security feature called Restricted Settings, This new feature prevents sideloaded applications (i.e., those downloaded from the Google Play Store) from directly requesting Accessibility Settings And notification listener Access – two features that are often abused by malware according to ThreatFabric researchers.

On Android systems, applications downloaded from the legitimate Google Play Store are not subject to the same process as applications that do not originate from it. The main reason for this is that the applications that have successfully reached the Google Play Store have provided more information and visibility and have passed various security tests to ensure that they do not contain malware functionalities. Therefore, apps from Google Play Store are not concerned with the Restricted Settings feature.

Applications downloaded from the Google Play Store use a specific installation method – a “session-based” package installer – that is not typically used by sideloaded applications.

Meet the SecuriDropper malware

The SecuriDropper malware uses the same installation method as legitimate software from the legitimate Google Play Store. Once executed by the unsuspecting user, the malware requests two key permissions: read and write external storage and install and remove packages.

Once permissions are granted, the malware checks if it is already present on the device; If it does, the malware runs, and if it doesn’t, the malware displays a message to the user explaining that something went wrong and the user needs to click the reinstall button. The message varies depending on the device’s location and configured language.

Upon completion, the session-based installation begins, and the user is asked for permission to enable the Accessibility Service, which is made possible due to the bypass of the Restricted Settings feature (Figure A,

Figure A

Malware was detected in various Android applications such as Google apps or Android updates (27%), video players (25%), security applications (15%) or games (12%), followed by email clients, adult content She comes. , music player and other apps (Figure B,

Figure B

Various final payloads of SecuriDropper

Any type of malicious code can be dropped and installed by SecuriDropper, as the ultimate goal of malware is to install other malware on the infected device. ThreatFabric observed two campaigns using SecuriDropper.

The first is to deliver an attack mission spynote, a malware with remote administration tool features. The malicious payload was being distributed through phishing websites and was deployed by SecuriDropper. The SpyNote malware, which is capable of capturing sensitive information on the device, as well as steal SMS and call logs and take screenshots, requires exactly one set of permissions that would otherwise be unavailable due to Android’s restricted settings. Its installation via SecuriDropper enables the SpyNote malware to infect devices even on Android 13, without the need to change its code.

In another attack campaign, SecuriDropper was seen being installed ERMAC Banking Trojan. The malware was deployed through Discord, a communication tool previously used primarily by gamers but increasingly being used by other communities, including corporate entities.

More malware will use this technique

Various malware families will use this technique in the future. A service that is already using this technology zombinder,

Darknet platform Zombinder has started advertising for its new version that bypasses Android 13 restricted settings, ThreatFabric reports. The Zombinder service allows an attacker to successfully bind a legitimate application with malware. When infection occurs, the legitimate application runs normally while the malware is executing in the background unnoticed.

Zombinder also sells builders with Android 13 restriction bypass capabilities. Zombinder’s builders are software capable of dropping malware on infected systems (aka droppers), which are sold for $1,000 USD.

As ThreatFabric wrote, “The emergence of services like Zombinder is indicative of a rapidly growing market in cybercrime, offering builders and tools to bypass Android 13 security. “This is a testament to the resourcefulness of those who seek to exploit security vulnerabilities for their own benefit.”

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.