Newsletter
The fight against hackers is an ongoing battle. Threat actors have once again found a way to circumvent Android security measures, this time through droppers. A dropper is the initial component of malware that disguises itself as a legitimate app. Its primary function is to attempt to download a payload onto your device. According to a recent report, SecuriDropper, a new Dropper-as-a-Service (DaaS), has successfully circumvented the upgraded security measures in Android 13.
To combat the distribution of malware through sideloaded apps, Android 13 introduced a feature called “Restricted Settings.” Sideloaded apps, those obtained from unofficial app stores, present both a convenience and a significant security concern for Android users. Sideloaded apps offer an avenue to download applications not available on the Google Play Store. However, this freedom comes at a cost: a heightened vulnerability to malware. While the Google Play Store has security measures to guard against malware, sideloaded apps do not undergo the same level of scrutiny. The lack of security for sideloaded apps serves as a frequently exploited gateway for malware to infiltrate Android devices.
The Restricted Settings feature prevents sideloaded apps from directly requesting access to accessibility settings and notification listeners, two features commonly exploited by malware. The only way for sideloaded apps to access these features is to deceive your device into believing they are official apps downloaded from the Play Store. Sideloaded apps differ from official ones in their installation method. Official apps use a “session-based” package installer, while sideloaded apps do not.
Enter SecuriDropper, an advanced Dropper-as-a-Service that surpasses its predecessors
Dropper-as-a-Service is a service that threat actors pay for to distribute their malware to devices. It allows a separation between malware development and app development. SecuriDropper employs a two-stage approach: first, it distributes what appears to be a harmless and legitimate app, which then requests “Read & Write External Storage” and “Install & Delete Packages” permissions during installation.
In the second stage, it downloads and runs the malware if it is already on the device. If the malware is not already present, the app initiates a series of intricate procedures. Among these steps, the app guides users to download the payload through a series of tailored messages. It then offers a “reinstall” button that downloads the payload and guides users through the necessary permissions and installation type. What sets SecuriDropper apart is its advanced and customized messaging system, along with its ability to implement a session-based installation of the payload. After installing the malware, which can be spyware or a banking trojan designed to compromise privacy or financial security, the dropper will disguise itself as various different legitimate apps.
Zombinder, a previously known Dropper-as-a-Service, has reappeared on underground forums. Malware developers are advertising their services in distributing malware through Zombinder for a price of $1000. Zombinder effectively combines legitimate software with malware without altering the behavior of the original app. This bundled app can bypass Google Protect alerts and other security features, making it a versatile tool for delivering various types of payloads.
The emergence of new DaaS tools like SecuriDropper and the resurgence of Zombinder illustrate the thriving market for malware distribution.