Connect with us

Hi, what are you looking for?


Malware & Threats

Dropper Service Bypassing Android Security Restrictions to Install Malware

ThreatFabric warns of a dropper service bypassing recent Android security restrictions to install spyware and banking trojans.

A recently identified dropper-as-a-service (DaaS) uses a novel technique to bypass Android’s security restrictions for payload delivery, online fraud detection firm ThreatFabric reports.

Dubbed ‘SecuriDropper’, the threat uses a ‘session-based’ installer to sideload malware, bypassing the Restricted Settings feature that Google introduced in Android 13.

Acting as a gatekeeper, Restricted Settings prevents sideloaded applications from requesting Accessibility and Notification Listener permissions, which are typically abused by malware.

For applications downloaded from a marketplace, a session-based package installer is used, differentiating them from sideloaded apps.

To bypass the restrictions, SecuriDropper employs a two-step infection process, which involves the distribution of a seemingly innocuous application that serves as a dropper for the secondary payload, typically malware.

SecuriDropper, ThreatFabric has discovered, uses an Android API that allows it to mimic a marketplace’s installation process, preventing the operating system from identifying the payload as sideloaded, thus bypassing Restricted Settings.

The dropper asks permissions to read and write to external storage and to install and delete packages, then checks if the payload is installed on the device. If it is, the dropper launches it, otherwise prompting the user to ‘reinstall’ the application, which initiates the payload delivery.

“After the session-based installation, the malicious application operates according to its intended purpose, successfully requesting the essential permissions while prompting users to enable AccessibilityService, which is possible due to the circumvention of Android 13’s ‘Restricted Setting’ feature,” ThreatFabric explains.

Advertisement. Scroll to continue reading.

To date, SecuriDropper has been observed delivering the SpyNote spyware family (which also includes RAT capabilities) and the Ermac banking trojan.

In addition to SecuriDropper, Zombinder is another DaaS advertised with Restricted Settings-bypassing capabilities. Available since at least 2022, it essentially injects a dropper in a legitimate application.

According to ThreatFabric, recent Zombinder DaaS advertisements mention access to a dropper builder that appears to work similar to SecuriDropper.

“However, at the time of writing this blog, we do not possess definitive information to establish a direct connection between SecuriDropper and the advertised Zombinder service. ThreatFabric researchers will continue to closely monitor both the SecuriDropper and Zombinder services,” the company notes.

Related: Google Play Protect Gets Real-Time Code Scanning

Related: Spyware Caught Masquerading as Israeli Rocket Alert Applications

Related: Xenomorph Android Banking Trojan Targeting Users in US, Canada

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.