Cybersecurity experts have discovered a new Android Dropper-as-a-Service (DaaS) named SecuriDropper, which successfully bypasses Google’s latest security protocols, enabling the delivery of malware.
Dropper malware for Android serves as a means to deliver a payload to an already compromised device. This nefarious technique has become a lucrative business model for threat actors who can market its capabilities to other criminal groups.
[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing
Furthermore, it empowers attackers to separate the planning and execution of an assault from the malware download phase.
A noteworthy security enhancement introduced in Android 13 by Google is the “Restricted Settings” feature. This feature effectively prevents sideloaded apps from acquiring coveted Accessibility and Notification Listener privileges, which are frequently exploited by malicious banking trojans for nefarious purposes.
SecuriDropper’s primary objective is to navigate this barrier stealthily, evading detection. Typically, the dropper disguises itself as an innocuous-looking application. Several deceptive variations of this approach have been observed in the wild, including:
- Google Search: com.appd.instll.load
- load com.appd.instll (Google Chrome)
“What makes SecuriDropper stand out is the technical implementation of its installation procedure,” ThreatFabric made clear.
“Unlike its predecessors, this family uses a different Android API to install the new payload, mimicking the process used by marketplaces to install new applications.”
During the second stage, the malicious payload is installed with greater ease by instructing victims to click on an app’s “Reinstall” button, leading them to believe it’s a remedy for a previous installation error.
ThreatFabric has observed instances where Android banking Trojans such as SpyNote and ERMAC have been disseminated through SecuriDropper on counterfeit websites and third-party platforms like Discord.
Zombinder, an APK binding tool believed to have been deactivated earlier this year, has resurfaced as a malware service, providing an alternative method to circumvent Restricted Settings. The exact connection between these two tools remains to be determined.
“As Android continues to raise the bar with each iteration, cybercriminals, too, adapt and innovate,” the firm said. “Dropper-as-a-Service (DaaS) platforms have emerged as potent tools, allowing malicious actors to infiltrate devices to distribute spyware and banking trojans.”
Recent Development
Along with the user’s permission, restricted settings add another layer of security to apps that need to access Android settings and rights. The main way that Android protects people is by letting them choose which apps can do things. Also, Google Play Protect keeps users safe by alerting them to or blocking apps on Android devices that are known to do bad things with Google Play Services. To help keep users safe, we are always looking at new ways to attack and making Android safer against malware.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.