Android malware

Android malware developers are already adjusting their tactics to bypass a new 'Restricted setting' security feature introduced by Google in the newly released Android 13.

Android 13 was released this week, with the new operating system being rolled out to Google Pixel devices and the source code published on AOSP.

As part of this release, Google attempted to cripple mobile malware that attempted to enable powerful Android permissions, such as AccessibilityService, to perform malicious, stealthy behavior in the background.

However, analysts at Threat Fabric today say malware authors are already developing Android malware droppers that can bypass these restrictions and deliver payloads that enjoy high privileges on a user's device.

Android 13 security

In previous Android versions, most mobile malware found its way inside millions of devices via dropper apps available on the Play Store, which masquerade as legitimate apps.

During installation, the malware apps prompt users to grant access to risky permissions and then sideload (or drop) malicious payloads by abusing Accessibility Service privileges.

Accessibility Services is a massively abused disability assistance system on Android that enables apps to perform swipes and taps, go back or return to the home screen. All of this is done without the knowledge or permission of the user.

Typically, the malware uses the service to grant itself additional permissions and stop the victim from manually deleting the malicious app.

In Android 13, Google's security engineers introduced a 'Restricted setting' feature, which blocks sideloaded applications from requesting Accessibility Service privileges, limiting the function to Google Play-sourced APKs.

However, researchers at ThreatFabric were able to create a proof-of-concept dropper that easily bypassed this new security feature to gain access to Accessibility Services.

Bypassing Android 13's restricted setting feature
Bypassing Android 13's restricted setting feature
Source: ThreatFabric

Bypassing Android's Restricted settings

In a new report released today, Threat Fabric has discovered a new Android malware dropper that is already adding new features to bypass the new Restricted setting security feature.

While following the Xenomorph Android malware campaigns, Threat Fabric discovered a new dropper still under development. This dropper was named "BugDrop" after the many flaws that plague its operation at this early phase.

This novel dropper features code similar to Brox, a freely distributed malware development tutorial project circulating on hacker forums, but with a modification in one string of the installer function.

"What drew our attention is the presence in the Smali code of the string "com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED," explains Threat Fabric in the report.

"This string, which is not present in the original Brox code, corresponds to the action required by intents to create an installation process by session."

String that invokes session-based installation
String that invokes session-based installation (Threat Fabric)

Third-party apps have two methods to install other apps. The first and most common is the non-session-based installation method, which essentially hands off the installation of a single APK file to the system package installer.

The second is the session-based installation method, which lets apps commit the installation of one or more APK files at once. Commonly used by app stores, it allows for installing multiple APK files in one go, with apps distributed as a single "base" APK and multiple "split" APKs (i.e. language packs).

On Android 13, Google decided to restrict access to Accessibility Service and Notification Listener, two highly privileged APIs, only to apps that are installed using the session-based installation method.

Apps sideloaded through the session-based installation method will not see the "Restricted Setting" dialog and hence users can enable their Accessibility Service and/or Notification Listener.

If malware droppers like BugDrop use this installation method to side-load the malware payload, Android 13 recognizes the use of the API and doesn't apply the restriction.

"When fully implemented, this slight modification would circumvent Google's new security measures fully, even before they are effectively in place," comments Threat Fabric.

BleepingComputer has reached out to Google with further questions about this bypass and will update the story with any response.

Hadoken group

BugDrop is still a work in progress by a group of malware authors and operators named 'Hakoden,' who are also responsible for creating the Gymdrop dropper and the Xenomorph Android banking trojan.

When BugDrop is ready for mass deployment, it is expected to be used in Xenomorph campaigns, enabling on-device credential theft and fraud behavior on the most recent Android devices.

Additionally, the latest Xenomorph samples analyzed by Threat Fabric have added remote access trojan (RAT) modules, making the malware an even more potent threat.

Post updated on 8/18/22 to better reflect how the malware authors use session-based installation to access the mentioned Android API and bypass the Accessibility Service restriction, thanks to detailed information shared by Android journalist Mishaal Rahman.

For a more in-depth dive into how the new security system works and what its weak points are, check out this blog post.

Related Articles:

Over 90 malicious Android apps with 5.5M installs found on Google Play

New Medusa malware variants target Android users in seven countries

Snowblind malware abuses Android security feature to bypass security

Police seize over 100 malware loader servers, arrest four cybercriminals

Banking malware Grandoreiro returns after police disruption