Hackers have found a way to bypass Android’s “Restricted Settings” and install malware on a victim’s devices.
Restricted Settings is a security feature first introduced in Android 13 that prevents apps downloaded from non-vetted sources (i.e. places other than the Google Play Store, or sideloaded apps) from accessing key Android settings, such as Accessibility, or Notification Listener.
Apps that are granted Accessibility features can perform additional actions on the device such as installing other apps, grabbing text and other data, recording audio and video, and more. Almost all malicious apps require Accessibility options to be enabled, which is one of the best red flags possible. Notification Listener does exactly what it sounds like it’s doing, and hackers can use it to steal multi-factor authentication codes, especially those coming in via SMS.
SecuriDropper
A report from cybersecurity researchers ThreatFabric found the new malware is a dropper-as-a-service called SecuriDropper. Victims usually think they’re downloading software updates, video apps, games, or similar. The first thing the app does is ask for Read & Write External Storage permissions, as well as Install & Delete Packages, which grants it the ability to download and install additional apps.
Then, it says the app wasn’t installed properly (or requires an update) and displays a Reinstall button which downloads the second-stage payload.
While these payloads may vary, depending on the endpoint targeted, the researchers observed the SpyNote malware being dropped via SecuriDropper, as well as the Ermac banking trojan.
SpyNote can log keystrokes, exfiltrate call logs, pull data from installed apps, and more. Uninstalling it is also quite a task.
The best way to stay safe is to use common sense – only download apps from trusted sources and make sure they have plenty of downloads and solid reviews. Also, pay close attention to the permissions the apps ask upon installation – if they’re excessive, it’s most likely malware.
Via BleepingComputer