Hackers Bypass Android 13 “Restricted Settings” Drop Malware


The ever-changing landscape of mobile security is a constant battle between security researchers and malicious actors. 

As security measures are implemented, cybercriminals find new ways to bypass them. 

EHA

One such instance is the introduction of Android 13’s “Restricted Settings” feature, designed to prevent unauthorized access to sensitive permissions. 

The emergence of SecuriDropper and Zombinder, however, demonstrates that cybercriminals have discovered ways to get around this security measure.

SecuriDropper: A New Wave of Dropper-as-a-Service (DaaS)

SecuriDropper is a member of the Dropper-as-a-Service (DaaS) family, which has gained momentum in the cyber underground. 

SecuriDropper uses a distinct installation process that resembles how official marketplaces install new applications, in contrast to its predecessors.

Slide1-3

SecuriDropper gets around Android 13’s Restricted Settings feature by using certain permissions and a session-based installation method. This lets cybercriminals install malware payloads without being caught, we have learned from ThreatFabric Research.

SecuriDropper’s ability to distribute various types of malware, including spyware and banking Trojans, is a significant concern. 

The dropper facilitates the deployment of SpyNote, a powerful spyware family that captures sensitive information such as text messages, call logs, and screen recordings. 

Additionally, SecuriDropper has been observed distributing banking Trojans, designed to steal financial information and manipulate transactions, posing a significant threat to users’ financial security.

Zombinder: Bridging Legitimate Apps and Malicious Payloads

Zombinder is another innovative tool in the cybercriminal arsenal, offering a unique approach to bypassing Android 13’s defenses. 

This service combines legitimate applications with malicious code, creating a covert delivery mechanism for malware. 

While initially advertised for $1000 as a complete package, recent developments have revealed that Zombinder purchasers gain access to a dropper builder, aligning with the capabilities of SecuriDropper. 

Slide5-4
Slide7-1

Although a direct connection between SecuriDropper and Zombinder is yet to be established, the similarities raise concerns about the evolving tactics employed by malicious actors.



Document

FREE Webinar

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.


The Implications for Mobile Security

The emergence of SecuriDropper and services like Zombinder underscores the challenges faced by organizations and individuals relying on mobile channels. 

As Android continues to enhance its security features, cybercriminals respond with innovative techniques to exploit vulnerabilities. 

Dropper-as-a-service platforms have become potent tools for malicious actors, compromising users’ privacy and financial security.

For businesses and users alike, it is crucial to stay vigilant and informed about the latest developments in mobile security. 

Regularly updating devices, avoiding sideloading applications from untrusted sources, and being cautious of unexpected prompts for sensitive permissions are essential to mitigating the risks posed by evolving threats like SecuriDropper and Zombinder.

Stay tuned for further updates as ThreatFabric researchers continue to monitor these evolving threats and their implications for the mobile security landscape.

Indicators of Compromise

SecuriDropper Samples

HASH (SHA256) APP NAME PACKAGE NAME
68234450d90668909697893a76fc4a0791b35ba3f7bfc4d9d14f2866706019f3 Google com.appd.instll.load
2f64dd679494bdfba962bdc8ec6fb5e13ec4c754f12d494291442dc3e4862a93 Chrome com.appd.instll.load

Dropped Payload Samples

SpyNote.

HASH (SHA256) APP NAME PACKAGE NAME
22630eee4fdf1958e6c98721f0ccc522b2413a6f6c49f315f34c45726bf18b2d Google pole.pst.read

Ermac.C

HASH (SHA256) APP NAME PACKAGE NAME
13daf7b94124c142d509b036516eb3d532c22696574d8cd5d65aa9d636c293a9 Chrome com.jakedegivuwuwe.yewo

Patch Manager Plus: Patch over 850 third-party applications quickly – Try Free Trial.



Source link