New Android malware dropper sneaks past Google — protect yourself now

Android malware on phone
(Image credit: Shutterstock)

Installing malware on the best Android phones has recently become more difficult due to Google’s own restrictions. However, cybercriminals have created a new malware dropper capable of bypassing Android’s Restricted Settings security feature.

As reported by BleepingComputer and discovered by the cybersecurity firm ThreatFabric, malware droppers like the newly uncovered SecuriDropper provide hackers with a way to install malicious payloads on compromised devices. Just like with everything else these days, malware droppers are sold as a subscription service (dropper-as-a-service or DaaS for short) which hackers sign up and pay for to use in their attacks.

ThreatFabric also points out in its new report that droppers let hackers “separate the development and execution of an attack from the installation of the malware.” Creating new malware droppers can be quite profitable and instead of launching attacks against businesses and individuals to steal money, some cybercriminals now prefer to develop tools for other hackers.

What makes SecuriDropper particularly concerning is that it can get around Google’s Restricted Settings feature which launched with Android 13. This means that malware installed using this dropper is able to access powerful features like Android’s Accessibility settings and Notification Listener. Here’s everything you need to know about SecuriDropper and how hackers are now using this advanced dropper in their attacks.

Sideloading Android malware

Android’s Accessibility settings and Notification Listener are two permissions that have been frequently abused by hackers in the past. This is why Google introduced its Restricted Settings feature in Android 13 as it protects users by blocking these two permissions from being granted approval.

For instance, Android’s Accessibility settings can be abused by hackers to capture text on your smartphone’s screen, to grant additional permissions to their malware and to perform navigation actions remotely. Meanwhile, Notification Listener can be used to steal one-time passwords.

ThreatFabric created a proof-of-concept dropper back in August of last year to show that it is possible to get around Android 13’s Restricted Settings security feature. This dropper used the session-based installation API for malicious Android package (APK) files in which parts of these bad apps were installed in multiple steps in order to bypass Restricted Settings.

Now though, according to ThreatFabric’s security researchers, SecuriDropper is doing the same thing to side-load malware onto targeted Android devices. The dropper does this by posing as a legitimate app such as a video player, security app or a game. However, once installed, a second payload is then downloaded which is some form of malware.

So far, ThreatFabric has observed the SpyNote malware being distributed through SecuriDropper by posing as a Google Translate app. The dropper in question has also been used to distribute the banking trojan Ermac by impersonating the Chrome browser.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

The easiest and simplest way to stay safe from Android malware is to avoid sideloading apps onto your phone. While it may be tempting as well as convenient to download an APK file and install it to get a new app, it just isn’t worth the risk.

Unlike on the Google Play Store, Amazon Appstore and Samsung Galaxy Store, sideloaded apps don’t go through the same rigorous security checks that apps downloaded from official Android app stores do. Sure, malicious apps do manage to slip through the cracks from time to time, but overall, you’ll be much safer downloading and installing new apps from an official store as opposed to sideloading them.

If you did download a shady app, you can always check to see which permissions it has access to by going to the Settings menu and finding that particular app under Apps. By selecting permissions from this menu, you’ll be able to see all of the different permissions an app has access to and disable them if you think something fishy is going on.

While the best Android antivirus apps will provide you with excellent protection against malware, if you’re on a tight budget, Google Play Protect also scans all of your existing and any new apps you download for malware — and it’s free. For additional protection from bad apps though, you may also want to consider the best identity theft protection services as they can help you recover from fraud and get your identity back.

As malware droppers have quickly turned into a lucrative business for hackers, SecuriDropper won’t likely be the last one we see. However, if you’re careful when installing new apps and avoid sideloading them, you’re less likely to end up with a nasty malware infection on your Android phone.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

TOPICS