A recently identified dropper-as-a-service (DaaS) uses a novel technique to bypass Android’s security restrictions for payload delivery, online fraud detection firm ThreatFabric reports.
Dubbed ‘SecuriDropper’, the threat uses a ‘session-based’ installer to sideload malware, bypassing the Restricted Settings feature that Google introduced in Android 13.
Acting as a gatekeeper, Restricted Settings prevents sideloaded applications from requesting Accessibility and Notification Listener permissions, which are typically abused by malware.
For applications downloaded from a marketplace, a session-based package installer is used, differentiating them from sideloaded apps.
To bypass the restrictions, SecuriDropper employs a two-step infection process, which involves the distribution of a seemingly innocuous application that serves as a dropper for the secondary payload, typically malware.
SecuriDropper, ThreatFabric has discovered, uses an Android API that allows it to mimic a marketplace’s installation process, preventing the operating system from identifying the payload as sideloaded, thus bypassing Restricted Settings.
The dropper asks permissions to read and write to external storage and to install and delete packages, then checks if the payload is installed on the device. If it is, the dropper launches it, otherwise prompting the user to ‘reinstall’ the application, which initiates the payload delivery.
“After the session-based installation, the malicious application operates according to its intended purpose, successfully requesting the essential permissions while prompting users to enable AccessibilityService, which is possible due to the circumvention of Android 13’s ‘Restricted Setting’ feature,” ThreatFabric explains.
To date, SecuriDropper has been observed delivering the SpyNote spyware family (which also includes RAT capabilities) and the Ermac banking trojan.
In addition to SecuriDropper, Zombinder is another DaaS advertised with Restricted Settings-bypassing capabilities. Available since at least 2022, it essentially injects a dropper in a legitimate application.
According to ThreatFabric, recent Zombinder DaaS advertisements mention access to a dropper builder that appears to work similar to SecuriDropper.
“However, at the time of writing this blog, we do not possess definitive information to establish a direct connection between SecuriDropper and the advertised Zombinder service. ThreatFabric researchers will continue to closely monitor both the SecuriDropper and Zombinder services,” the company notes.