November 6, 2023 at 07:10AM
A new cybercrime operation called ‘SecuriDropper’ is using a technique to bypass Android’s ‘Restricted Settings’ feature and install malware on devices. This allows the malware to access Accessibility Services and obtain sensitive information. The bypass method involves using session-based installation API for malicious APK files. The security issue is still present in Android 14. SecuriDropper poses as legitimate apps, such as Google apps or video players, and then installs a second payload, which is malware. The malware distributed through SecuriDropper includes SpyNote and Ermac trojans. Another DaaS operation called Zombinder has also resurfaced, using the same Restricted Settings bypass strategy to infect Android devices with info-stealers and banking trojans. Android users are advised to avoid downloading APK files from unknown sources and to review and revoke permissions for installed apps. It is unclear if Google will implement new security measures to address this issue.
Summary of Meeting Notes:
– A new cybercrime operation called ‘SecuriDropper’ has emerged, using a method to bypass Restricted Settings in Android and install malware on devices.
– Restricted Settings is a security feature introduced with Android 13 to block side-loaded applications from accessing powerful features like Accessibility settings and Notification Listener.
– SecuriDropper abuses Accessibility Services to capture on-screen text and grant additional permissions, while also using Notification Listener to steal one-time passwords.
– ThreatFabric reported that malware developers were adjusting their tactics to this new measure through a dropper named ‘BugDrop.’
– The bypass involves using the session-based installation API for malicious APK files, which bypasses Restricted Settings warnings.
– The security issue is still present in Android 14, and SecuriDropper continues to use the same technique to side-load malware on target devices.
– SecuriDropper poses as legitimate apps, such as Google apps, Android updates, video players, security apps, or games, and then installs a second payload as malware.
– SpyNote malware and banking Ermac trojans have been distributed through SecuriDropper, disguising as Google Translate and the Chrome browser, respectively.
– Zombinder, another dropper-as-a-service operation, has re-surfaced and uses the same Restricted Settings bypass strategy as SecuriDropper.
– To protect against these attacks, Android users should avoid downloading APK files from unfamiliar sources and can review and revoke permissions for installed apps in the Settings.
– BleepingComputer has reached out to Google for information on new security measures but has not received a response yet.