This post is dedicated to all the owners of an Android phone and people in cyber security.
It’s actually propagating a new malware for your phone that allows it to by-pass the latest security measures implemented into the latest version of Android (namely Restricted Setting)
The malware per-se is kinda brilliant even tho aim to the usual stuff (personal data and banking stuff).
So. Please. DO NOT INSTALL anything outside your App Store.
Since this can be easily camouflaged into a normal app PLEASE avoid to install fairly new app / weird app that might seems to good to be true and especially (as said earlier) if they don’t come from your default App Store.
This malware has the ability to conceal what permissions it really need and via a “scam” will let you allow to concede this rights. (told you, it’s brilliant).
A more technical Analysis
SecuriDropper is a widely distributed dropper able to bypass latest security measures on android devices.
If you didn’t know already the word Droppers is used by Security Researchers to identify a particular category of malware whose main purpose is to install a specific payload onto a device.
The “brilliant” side of this technique is that allow an attacker to easily separate the logic of development and attack execution from the malware installation.
Restricted Setting
Google, in the light of the new general attacks, started to introduce this security feature named “Restricted Settings” wich it’s main objective is to put restrictions on the privileges granted to sideloaded applications.
(Friendly reminder that by sideloading applications is intented the retrieval and installation of mobile application from sources that are not the official stores).
The main problem of application published outside the official stores is that they do not undergo a series of checks that can otherwise identify them as “malicious” (besides many other things)..
This procedure (sideloading) is the most preferred way for malicious actor to propagate their malware.
So, Restricted Setting is born !
It act, as you wish, as kinda a gatekeeper, not allowing sideloaded applications from directly requesting Accessibility settings and Notification Listener access ( two features much abused by malware in general).
Restricted Settings affects only sideloaded applications and apps downloaded from the official stores are not affected. So how does Android tell them apart ? (sideload or store)
Well, all comes to a session-based package installer. That is the default method used to install app from the official store. So, sideload app don’t use it. From here the system is able to tell the difference from where the app come from.
But, what if the malware decide to use a session-based package installer method ?
Well, so far there are no huge evidence that this has been done in a big scale (but some traces are back out there).
The main kind of permission, that this family of malware needs to operate, are:
- Read & Write External Storage
- Install & Delete Packages
And will do it’s best to make you allow them.
Acknowledgments and More Info
Kudos to Threat Fabric for researching this issue.
Here a link to their website explaining all this in more technical view (and with code extracts)
https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions
Stay Safe !
