Cybersecurity researchers have unveiled a new Android dropper service called SecuriDropper, which is designed to bypass the latest security restrictions imposed by Google. Dropper malware acts as a conduit to install a payload on a compromised device, making it an attractive business model for threat actors. It allows them to advertise their capabilities to criminal groups and separate the development and execution of an attack from the malware installation.
Bypassing Google's Security Measures:
Google introduced Restricted Settings with Android 13, preventing sideloaded applications from acquiring Accessibility and Notification Listener permissions, commonly abused by banking trojans. SecuriDropper is engineered to circumvent this security measure discreetly. It often masquerades as an innocuous app with samples observed in the wild bearing names like "com.appd.instll.load (Google)" and "com.appd.instll.load (Google Chrome)."
Unique Installation Procedure:
SecuriDropper stands out due to its distinctive installation procedure. Unlike its predecessors, this malware family employs a different Android API for installing the new payload, emulating the process used by marketplaces to install applications. This includes requests for permissions to read and write data to external storage, as well as install and delete packages.
Payload Installation Process:
In the second stage, the malicious payload is installed by encouraging victims to click on a "Reinstall" button on the app, purportedly to resolve an installation error.
Distribution of Android Banking Trojans:
ThreatFabric, the Dutch cybersecurity firm that discovered SecuriDropper, has noted that Android banking trojans such as SpyNote and ERMAC are being distributed via SecuriDropper on deceptive websites and third-party platforms like Discord.
Zombinder and the Evolving Threat Landscape:
Another dropper service called Zombinder has been observed offering a similar bypass of Restricted Settings. Zombinder is an APK binding tool that was believed to be deactivated earlier this year. It remains unclear if there is any connection between the two tools.
Conclusion:
As Android continues to enhance its security measures, cybercriminals are adapting and innovating to bypass them. Dropper-as-a-Service (DaaS) platforms like SecuriDropper have emerged as potent tools, enabling threat actors to effectively distribute malicious payloads and evade detection by security protocols. This highlights the need for ongoing vigilance and advanced cybersecurity measures to protect Android users from evolving threats.
