Key Takeaways
What is SecuriDropper?
SecuriDropper is a widely distributed dropper-as-a-service that bypasses Android Restricted Settings. Restricted Settings, which imposes restrictions on the privileges granted to sideloaded apps, was introduced in Android 13 for anti-malware protection. ThreatFabric reported on SecuriDropper.
Restricted Settings prohibits sideloaded apps from directly requesting Accessibility settings and Notification Listener access. These two features are often abused by malware. However, the restrictions do not apply to apps downloaded from the official Android app store. The installation method used to load official versus sideloaded apps differs, allowing Android’s operating system to distinguish between sideloaded and official apps, with official apps using a “session-based” package installer. However, if a sideloaded app finds a way to use a session-based installer, it can potentially bypass these restrictions. SecuriDropper is among the first Android malware known to bypass restricted settings using this method.
SecuriDropper uses a two-stage infection process. In the first stage, a seemingly benign app is distributed, often disguised as another legitimate app. This app serves as the dropper. In the second stage, this dropper is responsible for installing a secondary payload, such as spyware or banking Trojans, on the victim’s mobile device. Since the tasks are performed separately, it is more difficult for security measures to detect the malicious payload. Unlike previous Android droppers, SecuriDropper uses a different Android API to install the new payload, using a session-based installer. This allows the installed payload to bypass Restricted Settings, as it appears to be an official app.
ThreatFabric noted some SecuriDropper samples were observed dropping SpyNote, a notorious spyware family with RAT capabilities. SecuriDropper was also observed dropping the Ermac banking trojan.
IOCs
SecuriDropper
PolySwarm has a sample of SecuriDropper.
68234450d90668909697893a76fc4a0791b35ba3f7bfc4d9d14f2866706019f3
You can use the following CLI command to search for all SecuriDropper samples in our portal:
$ polyswarm link list -f SecuriDropper
SpyNote
PolySwarm has a sample of SpyNote.
22630eee4fdf1958e6c98721f0ccc522b2413a6f6c49f315f34c45726bf18b2d
You can use the following CLI command to search for all SpyNote samples in our portal:
$ polyswarm link list -f SpyNote
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.