Android malware makers are perfectly in-synch with Google releases nowadays – it’s no wonder how they’ve already modified their strategies to completely sidestep Google’s latest mobile security feature “Restricted Setting” in the most recent version of the Android franchise; Android 13.
This week saw the official premiere of Android 13 to Google Pixel devices – as well as the operating system’s source code on AOSP. In this update, the Tech Giant attempted to put an end to any mobile malware that might use Android permissions like Accessibility Service to carry out nefarious, covert actions in the background.
According to Netherlands fraud defense company, ‘Threat Fabric’, Google’s only wasting its time. Hackers have already dug into ways to bypass these blocks and distribute payloads with high rights on a user’s device.
Hackers Target Play Store
In prior iterations of the software, ‘dropper apps’ from the Play Store were used. They posed as trustworthy apps, allowing the majority of their malware to infiltrate millions of devices. Once installed, the service would be used by the virus to obtain more rights for itself. Thus, preventing the victim from manually removing the app.
Google technicians hoped that by adding a “Restricted setting” feature to Android 13, it would prevent sideloaded apps from asking for Accessibility Service rights and only allows APKs downloaded through Google Play to use the feature.
However, Threat Fabric has already discovered a unique dropper software that Google simply can’t stand up to; Bugdrop Dropper. With a change to one string in the installer function, its code is comparable to Brox. an open-sourced malware creation tutorial project that has circulated in hacker forums recently.
One thing that stood out to Threat Fabric’s analysts, was particular strings being similar to Smali code. This string, added after the original Brox code, seems to correspond to the activity needed to create an installation process by session.
It then divides the packages (APKs) into smaller pieces with identical names, version numbers, and signing certificates. As a result, this session-based installation process prepares a multi-staged malware installation onto an Android device in a single moment. Therefore, Android won’t interpret the payload installation as sideloading the APK.
BugDrop Takes on Google
When fully executed, this minor alteration will completely get around Google’s new security measures, even before they are actually in place.
So who’s behind Bugdrop? The same gang which made the Gymdrop dropper and the Xenomorph Android banking trojan – “Hakoden.”
Analysts are bracing for BugDrop’s official release, as Xenomorph campaigns will most likely use it to enable credential theft and fraud activity on the most modern Android devices. As Hadoken has done this before with the remote access trojan (RAT) modules added to the most recent Xenomorph samples, BugDrop might become one of the most dangerous threats Google has ever seen.