The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

SecuriDropper Android Malware

Nov 17, 2023 1:27:39 PM / by The Hivemind

SecruDropperRelated Families: SpyNote, Ermac

Executive Summary

SecuriDropper is a widely distributed dropper-as-a-service that bypasses Android Restricted Settings.

Key Takeaways

  • SecuriDropper is a widely distributed dropper-as-a-service that bypasses Android Restricted Settings.
  • It uses a two-stage infection process, with the first stage involving a seemingly benign app and the second involving the installation of a secondary payload.
  • Secondary payloads often include spyware and banking Trojans. 
  • SecuriDropper uses an Android API that allows it to mimic the use of a session-based installer, making it appear to be an app from the official Android store. 

What is SecuriDropper?

SecuriDropper is a widely distributed dropper-as-a-service that bypasses Android Restricted Settings. Restricted Settings, which imposes restrictions on the privileges granted to sideloaded apps, was introduced in Android 13 for anti-malware protection. ThreatFabric reported on SecuriDropper.

Restricted Settings prohibits sideloaded apps from directly requesting Accessibility settings and Notification Listener access. These two features are often abused by malware. However, the restrictions do not apply to apps downloaded from the official Android app store. The installation method used to load official versus sideloaded apps differs, allowing Android’s operating system to distinguish between sideloaded and official apps, with official apps using a “session-based” package installer. However, if a sideloaded app finds a way to use a session-based installer, it can potentially bypass these restrictions. SecuriDropper is among the first Android malware known to bypass restricted settings using this method.

SecuriDropper uses a two-stage infection process. In the first stage, a seemingly benign app is distributed, often disguised as another legitimate app. This app serves as the dropper. In the second stage, this dropper is responsible for installing a secondary payload, such as spyware or banking Trojans, on the victim’s mobile device. Since the tasks are performed separately, it is more difficult for security measures to detect the malicious payload. Unlike previous Android droppers, SecuriDropper uses a different Android API to install the new payload, using a session-based installer. This allows the installed payload to bypass Restricted Settings, as it appears to be an official app.

ThreatFabric noted some SecuriDropper samples were observed dropping SpyNote, a notorious spyware family with RAT capabilities. SecuriDropper was also observed dropping the Ermac banking trojan.

IOCs 

SecuriDropper

 

PolySwarm has a sample of SecuriDropper.

 

68234450d90668909697893a76fc4a0791b35ba3f7bfc4d9d14f2866706019f3

 

You can use the following CLI command to search for all SecuriDropper samples in our portal:

$ polyswarm link list -f SecuriDropper

 

SpyNote

 

PolySwarm has a sample of SpyNote.

 

22630eee4fdf1958e6c98721f0ccc522b2413a6f6c49f315f34c45726bf18b2d

 

You can use the following CLI command to search for all SpyNote samples in our portal:

$ polyswarm link list -f SpyNote

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Android, Mobile, Ermac, SpyNote, SecuriDropper, Dropper-as-a-service

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts