Cybercriminals Developing BugDrop Malware To Bypass Android Security Features
In a sign that malicious actors continue to find ways to work around Google Play Store security protections.
Researchers have spotted a previously undocumented Android dropper trojan that’s currently in development.
This new malware tries to abuse devices using a novel technique, not seen before in Android malware.
To spread the extremely dangerous Xenomorph banking trojan, allowing criminals to perform On-Device Fraud on victim’s devices.
BugDrop Helps Penetrate Data Packages
Dubbed BugDrop by the Dutch security firm, the dropper app is explicitly designed to defeat new features.
These features were Launched in the upcoming version of Android that aims to make it difficult for malware to request Accessibility Services privileges from victims.
Banking trojans are typically deployed on Android devices through innocuous dropper apps that pose as productivity and utility apps, which, once installed, trick users into granting invasive permissions
Notably, the Accessibility API, which lets apps read the contents of the screen and perform actions on behalf of the user, has come under heavy abuse.
It enables malware operators to capture sensitive data such as credentials and financial information.
Given that most of these malicious apps are sideloaded – something that’s only possible if the user has allowed installation from unknown sources – Google, with Android 13, has taken the step of entirely blocking accessibility API access to apps installed from outside of an app store.
But that hasn’t stopped adversaries from attempting to circumvent this restricted security setting.
APK Malware Creates Dangers
Enter BugDrop, which masquerades as a QR code reader app and is being tested by its authors to deploy malicious payloads via a session-based installation process.
What is likely happening is that actors are using an already built malware, capable of installing new APKs on an infected device, to test a session-based installation method.
The changes, should they become a reality, could make the banking trojans a more dangerous threat capable of bypassing security defenses even before they are in place.
With the completion and resolution of all the issues currently present in BugDrop, criminals will have another efficient weapon in the war against security teams and banking institutions.
Users are advised to avoid falling victim to malware hidden in official app stores by only downloading applications from known developers and publishers, scrutinizing app reviews, and checking their privacy policies.
