How this malware bypasses Android security mechanisms

By Daniel Casil

A dangerous malware has managed to bypass the security mechanisms put in place by Google with Android 13. Called SecuriDropper, this virus imitates the behavior of an application from the Play Store to be able to install spyware or malware designed to steal your account in the bank.

Computer security researchers at ThreatFabric have discovered new malware targeting Android smartphones, SecuriDropper. The virus is part of the “dropper” category. This is a type of malware designed to sneak into a computer system to install other types of software.

It is a very common tool among hackers, who use it to deploy other even more dangerous viruses, such as ransomware for example. SecuriDropper is offered as part of a Dropper-as-a-Service (DaaS) subscription to cybercriminals.

After investigation, the experts found that SecuriDropper is especially capable of bypassing certain security mechanisms put in place by Google with Android 13. The malware can indeed bypass restricted settingsappearing on the operating system in 2022.

Android’s restricted settings

These settings impose restrictions on apps that were not installed from the Play Store. If you installed an app from an APK or third-party store, Google will automatically impose limits on it. For example, the app will not be able to access sensitive functions, like the accessibility API or notifications. A warning will automatically indicate to the user that the app has been restricted.

This security measure obviously aims to protect internet users against suspicious apps, which generally come from APKs spread on the web. By avoiding the Play Store, malware developers also avoid Google’s security controls. Likewise, their applications are not scanned by the Play Protect program. The announced restrictions aim de facto to protect users.

As Google explains on its official website, it is possible to deactivate the restriction and grant access to apps that do not come from the Play Store. Nevertheless, the American giant recommends caution and “not to allow restricted settings unless you trust the app developer”.

How does SecuriDropper bypass the protections put in place by Google?

To bypass Android security, SecuriDropper relies on a “specific installation method”, says ThreatFabric. In short, the malware will imitate the way a legitimate application from the Play Store can be installed on an Android smartphone. Applications from the Google store rely on a package installer, a tool that automates the process of managing software on the system, “session based”. Program actions are limited to the active user session.

This is not the case for apps from a third-party platform or APK. By using this precise method, malicious applications trick Android into believing that they come from the Play Store. Actually, “the operating system cannot tell the difference between a dropper-installed application and an official market”, specifies the report. In the space of a year, hackers have discovered an infallible method to fool the precautions taken by Google.

Spyware and Trojan malware

As ThreatFabric explains, SecuriDropper’s mode of operation includes two major steps. First, hackers will distribute a malicious, but seemingly harmless, Android application on the web. In the code of this app, we find the dropper. Once it has managed to penetrate the operating system, it will install spyware, such as SpyNote, or a banking Trojan, such as Ermac, to steal its victims’ data. This is where the trap closes.

Unfortunately, SecuriDropper is not the only virus that uses this tactic to bypass Android restrictions. ThreatFabric researchers also identified Zombinder, a service that allows you to design a malicious application that can bypass restricted settings. It is likely that more cybercriminals will step into the breach in the near future.