Malware Devs Already Bypassed Android 13’s New Security Feature
Android malware developers are already adjusting their tactics to bypass a new ‘Restricted setting’ security feature introduced by Google in the newly released Android 13.
Android 13 was released this week, with the new operating system being rolled out to Google Pixel devices and the source code published on AOSP.
As part of this release, Google attempted to cripple mobile malware that attempted to enable powerful Android permissions, such as AccessibilityService, to perform malicious, stealthy behavior in the background.
However, analysts at Threat Fabric today say malware authors are already developing Android malware droppers that can bypass these restrictions and deliver payloads that enjoy high privileges on a user’s device.
Android 13 security
In previous Android versions, most mobile malware found its way inside millions of devices via dropper apps available on the Play Store, which masquerade as legitimate apps.
During installation, the malware apps prompt users to grant access to risky permissions and then sideload (or drop) malicious payloads by abusing Accessibility Service privileges.
Accessibility Services is a massively abused disability assistance system on Android that enables apps to perform swipes and taps, go back or return to the home screen. All of this is done without the knowledge or permission of the user.
Typically, the malware uses the service to grant itself additional permissions and stop the victim from manually deleting the malicious app.
In Android 13, Google’s security engineers introduced a ‘Restricted setting’ feature, which blocks sideloaded applications from requesting Accessibility Service privileges, limiting the function to Google Play-sourced APKs.
However, researchers at ThreatFabric were able to create a proof-of-concept dropper that easily bypassed this new security feature to gain access to Accessibility Services.
Bypassing Android’s Restricted settings
In a new report released today, Threat Fabric has discovered a new Android malware dropper that is already adding new features to bypass the new Restricted setting security feature.
While following the Xenomorph Android malware campaigns, Threat Fabric discovered a new dropper still under development. This dropper was named “BugDrop” after the many flaws that plague its operation at this early phase.
This novel dropper features code similar to Brox, a freely distributed malware development tutorial project circulating on hacker forums, but with a modification in one string of the installer function.
“What drew our attention is the presence in the Smali code of the string “com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED,” explains Threat Fabric in the report.
“This string, which is not present in the original Brox code, corresponds to the action required by intents to create an installation process by session.”
Session-based installation is used to perform a multi-staged installation of malware onto an Android device by splitting the packages (APKs) into smaller pieces and giving them identical names, version codes, and signing certificates.
This way, Android won’t see the payload installation as sideloading the APK, and thus Android 13’s Accessibility Service restrictions won’t apply.
“When fully implemented, this slight modification would circumvent Google’s new security measures fully, even before they are effectively in place,” comments Threat Fabric.
BleepingComputer has reached out to Google with further questions about this bypass and will update the story with any response.
BugDrop is still a work in progress by a group of malware authors and operators named ‘Hakoden,’ who are also responsible for creating the Gymdrop dropper and the Xenomorph Android banking trojan.
When BugDrop is ready for mass deployment, it is expected to be used in Xenomorph campaigns, enabling on-device credential theft and fraud behavior on the most recent Android devices.
Additionally, the latest Xenomorph samples analyzed by Threat Fabric have added remote access trojan (RAT) modules, making the malware an even more potent threat.