Cybercriminals Developing BugDrop Malware to Bypass Android Security Features

In
a
sign
that
malicious
actors
continue
to
find
ways
to
work
around
Google
Play
Store
security
protections,
researchers
have
spotted
a
previously
undocumented
Android
dropper
trojan
that’s
currently
in
development.

“This
new
malware
tries
to
abuse
devices
using
a
novel
technique,
not
seen
before
in
Android
malware,
to
spread
the
extremely
dangerous

Xenomorph

banking
trojan,
allowing
criminals
to
perform
On-Device
Fraud
on
victim’s
devices,”
ThreatFabric’s
Han
Sahin
said
in
a
statement
shared
with
The
Hacker
News.

Dubbed

BugDrop

by
the
Dutch
security
firm,
the

dropper
app

is
explicitly
designed
to
defeat
new
features
introduced
in
the
upcoming
version
of
Android
that
aim
to
make
it
difficult
for
malware
to
request
Accessibility
Services
privileges
from
victims.

ThreatFabric
attributed
the
dropper
to
a
cybercriminal
group
known
as “Hadoken
Security,”
which
is
also
behind
the
creation
and
distribution
of
the

Xenomorph
and
Gymdrop

Android
malware
families.


Banking
trojans

are
typically
deployed
on
Android
devices
through
innocuous
dropper
apps
that
pose
as
productivity
and
utility
apps,
which,
once
installed,
trick
users
into
granting
invasive
permissions.

Notably,
the
Accessibility
API,
which
lets
apps
read
the
contents
of
the
screen
and
perform
actions
on
behalf
of
the
user,
has
come
under

heavy
abuse
,
enabling
malware
operators
to
capture
sensitive
data
such
as
credentials
and
financial
information.

This
is
achieved
by
means
of
what’s
called
overlay
attacks
wherein
the
trojan
injects
a
fake
lookalike
login
form
retrieved
from
a
remote
server
when
a
desired
app
such
as
a
cryptocurrency
wallet
is
opened
by
the
victim.

Given
that
most
of
these
malicious
apps
are

sideloaded


something
that’s
only
possible
if
the
user
has
allowed
installation
from
unknown
sources

Google,
with
Android
13,
has
taken
the
step
of

blocking
accessibility
API
access

to
apps
installed
from
outside
of
an
app
store.

But
that
hasn’t
stopped
adversaries
from
attempting
to
circumvent
this
restricted
security
setting.
Enter
BugDrop,
which
masquerades
as
a
QR
code
reader
app
and
is
being
tested
by
its
authors
to
deploy
malicious
payloads
via
a
session-based
installation
process.

“What
is
likely
happening
is
that
actors
are
using
an
already
built
malware,
capable
of
installing
new
APKs
on
an
infected
device,
to
test
a
session-based
installation
method,
which
would
then
later
be
incorporated
in
a
more
elaborate
and
refined
dropper,”
the
researchers
said.

The
changes,
should
it
become
a
reality,
could
make
the
banking
trojans
a
more
dangerous
threat
capable
of
bypassing
security
defenses
even
before
they
are
in
place.

“With
the
completion
and
resolution
of
all
the
issues
currently
present
in
BugDrop,
criminals
will
have
another
efficient
weapon
in
the
war
against
security
teams
and
banking
institutions,
defeating
solutions
that
are
currently
being
adopted
by
Google,
which
are
clearly
not
sufficient
to
deter
criminals,”
the
company
noted.

Users
are
advised
to
avoid
falling
victim
to
malware
hidden
in
official
app
stores
by
only
downloading
applications
from
known
developers
and
publishers,
scrutinizing
app
reviews,
and
checking
their
privacy
policies.

Leave a Reply

Your email address will not be published. Required fields are marked *