Advisory ID: NCC-CSIRT-291123-042
Summary: Researchers at ThreatFabric, an online fraud detection company, have identified a dropper-as-a-service (DaaS) malware known as SecuriDropper. This malware employs an innovative method to bypass Android's security restrictions during payload delivery. SecuriDropper facilitates the infiltration of devices, enabling malicious actors to distribute spyware and banking Trojans. The deployment of these malicious payloads poses a threat to users' privacy and financial security.
Threat Type(s): Malware, Spyware and Banking Trojans
Impact/Vulnerability: CRITICAL/HIGH
Product(s): Android
Platform(s): Android Operating System
Version(s): Android 13
Description: The researchers revealed that the threat employs a 'session-based' installer to load malware, effectively evading Android 13's Restricted Settings feature introduced by Google. Restricted settings act as a safeguard against sideloaded applications seeking accessibility and notification listener permissions, commonly exploited by malware. In the case of apps obtained from a marketplace, a session-based package installer is utilized, distinguishing them from sideloaded counterparts. To overcome these restrictions, SecuriDropper employs a two-step infection process. It initially distributes a seemingly harmless application, functioning as a dropper for the actual malware payload. SecuriDropper utilizes an Android API to emulate the installation process of a marketplace, preventing the operating system from recognizing the payload as sideloaded and thus bypassing Restricted Settings. The dropper requests permissions for external storage access, package installation and deletion, then checks for the payload's presence. If installed, the dropper launches it; otherwise, it prompts the user to 'reinstall' the application, triggering payload delivery.
Consequences: SecuriDropper bypass Android's 'Restricted Settings' feature, allowing it to install malware on devices and gain access to accessibility services.
Solution:
- Caution is advised for Android users against downloading APK files from unfamiliar or untrusted sources or publishers.
- Android users should be mindful of the permissions granted to apps, as they have control over which permissions an app receives.
Pay attention to warnings from Google Play Protect and agree to block any apps flagged by Google Play Services for displaying malicious behavior.
References:
https://www.securityweek.com/dropper-service-bypassing-android-security-restrictions-to-install-malware/
https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions
https://www.bleepingcomputer.com/news/security/cybercrime-service-bypasses-android-security-to-install-malware/
https://www.noypigeeks.com/tech-news/securidropper-bypass-android-security/
https://thehackernews.com/2023/11/securidropper-new-android-dropper-as.html