A recently emerged business offering a “Dropper-as-a-Service” (DaaS) known as “SecuriDropper” bypasses Android’s “Restricted Settings” function to install malware on devices and gain access to Accessibility Services.
“Restricted Settings” is a security feature introduced in Android 13, aimed at bolstering security by preventing unauthorized access to vital functions, like accessibility settings and the Notification Listener, for applications installed from sources outside of Google Play, such as side-loaded APK files.
Cybercriminals frequently exploit these functionalities to deliver malware. Consequently, Restricted Settings was implemented to deny approval for requests to access these services and to issue a warning whenever such permissions are solicited.
Accessibility can enable the downloading of on-screen text, provide additional permissions, and facilitate remote navigation actions. On the other hand, the Notification Listener can be exploited to steal one-time passwords.
In August 2022, ThreatFabric reported that malware developers had begun adapting their strategies to exploit these features, leveraging a new dropper named “BugDrop.”
Drawing from its findings, the company developed a proof-of-concept (PoC) dropper to demonstrate the feasibility of bypassing these security measures.
This process involves the utilization of a session-based installation API for malware, which archives APKs (Android packages) and installs them through multiple steps, including a “base” package and various “split” data files.
When this API is employed in place of the non-session approach, it circumvents Restricted Settings, and users are not presented with the “Restricted Settings” dialog, thus allowing the malware to acquire additional privileges without user intervention.
As reported by BleepingComputer, this security vulnerability persists in Android 14. Furthermore, a recent ThreatFabric report reveals that SecuriDropper utilizes this identical technique to surreptitiously load malware onto devices and provide them access to critical subsystems.
SecuriDropper camouflages itself as a genuine application and targets Android devices, often masquerading as a Google app, an Android update, a video player, a security app, or a game. It subsequently installs a secondary payload, which is a form of malware.
The dropper gains access to “Read & Write External Storage” and “Install & Delete Packages” permissions during installation. It then installs the second-stage payload by deceiving users into clicking a “Reinstall” button after displaying fake error messages related to the dropper app. According to ThreatFabric, the SpyNote malware is distributed through the SecuriDropper, often disguised as a Google Translate application.
In some instances, SecuriDropper has been observed distributing Ermac banking trojans, masked as the Chrome browser.
To safeguard your Android device against these threats, refrain from downloading APK files from unverified sources. Furthermore, scrutinize the permissions requested by applications. If an app requests access to device components that are unnecessary for its functionality, it’s advisable to avoid installation.
To enhance security:
- Install trusted antivirus software for malware protection.
- Keep your device updated with regular OS and app updates, which often include important security patches.