SecuriDropper Mobile Malware

Cybersecurity experts have unveiled a novel service called SecuriDropper, which operates as a 'dDopper-as-a-Service' (DaaS) for Android devices. SecuriDropper is designed to circumvent the latest security restrictions implemented by Google and successfully deploys malware onto Android devices.

A dropper malware on Android serves as a means to facilitate the installation of threatening software on compromised devices, creating a profitable business model for fraud-related individuals. These threat actors can market their capabilities to other criminal organizations.

Furthermore, this approach enables adversaries to separate the development and execution of an attack from the actual installation of the malware. The landscape of droppers and the individuals orchestrating them is in a constant state of flux as they adapt to counter-evolving security measures.

SecuriDropper Bypasses Several Security Measures

Google's Android 13 has introduced a security feature known as "Restricted Settings." This feature is designed to prevent sideloaded applications from acquiring Accessibility and Notification Listener permissions, which are frequently exploited by banking Trojans.

SecuriDropper has been engineered to bypass this safeguard without arousing suspicion, often masquerading as seemingly innocuous applications. Some of the instances encountered in the wild include:

com.appd.instll.load (Google)

com.appd.instll.load (Google Chrome)

What sets SecuriDropper apart is its unique approach to the installation process. Unlike its predecessors, this malware family employs an alternative Android API to install the new payload, mirroring the process employed by legitimate application marketplaces for new application installations. This involves requesting permissions to read and write data to external storage (READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE) and to install and delete packages (REQUEST_INSTALL_PACKAGES and DELETE_PACKAGES).

In the second stage of the attack, victims are prompted to click on a "Reinstall" button within the app to address a purported installation error, facilitating the installation of the malicious payload.

Researchers have observed the distribution of Android banking Trojans like SpyNote and ERMAC through SecuriDropper on deceptive websites and third-party platforms such as Discord.

Cybercriminals are Evolving Their Threatening Tools

Yet another dropper service, known as Zombinder, has come to light, offering a bypass for the Restricted Settings feature. Zombinder is an APK binding tool that was believed to have been shut down earlier this year. It remains uncertain whether there is any link between these two tools.

As Android continues to set higher security standards with each new release, cybercriminals are equally quick to adjust and find new solutions. Dropper-as-a-Service (DaaS) platforms have risen as powerful instruments, enabling fraud-related individuals to breach devices and distribute spyware and banking Trojans.