SecuriDropper, operating as a “Dropper-as-a-Service” (DaaS) designed for Android, has recently emerged, drawing attention from experts.
This particular entity has demonstrated an ability to bypass newly introduced security constraints enforced by Google and deliver malicious software onto targeted devices.
Mobile Security is Not a Small Game!
APT41, a China-linked nation-state actor known for its exploitation of web-facing applications and infiltration of endpoint devices, extended its reach to include Android spyware named WyrmSpy and DragonEgg.
This expansion emphasized the growing value of mobile endpoints in securing corporate and personal data.
While the initial intrusion vector for these mobile surveillanceware strains remains unclear, their connection to APT41 lies in using a shared command-and-control server.
Don’t Feel Over Safe
Additionally, Google’s Project Zero revealed 18 zero-day vulnerabilities in Samsung’s Exynos chips, affecting Android smartphones, wearables, and vehicles.
Four of these vulnerabilities could be exploited remotely with minimal user interaction, potentially leading to the compromise of cellular information.
These vulnerabilities posed significant risks, particularly when considering that skilled attackers can silently breach affected devices.
Furthermore, a lesser-known threat emerged from dynamic code loading used by apps like Google.
Malicious apps can trick this mechanism, gaining unauthorized access and permissions potentially compromising sensitive user data without their knowledge.
World of Dropper Malware
Dropper malware installs harmful payloads on compromised devices. It presents an attractive business model for threat actors, who can market their capabilities to fellow criminal entities.
Moreover, this approach provides the added advantage of segregating the development and execution of an attack from the actual installation of the malware.
Google’s Security Not Enough!
Google introduced a security feature in Android 13 called “Restricted Settings.” This feature impedes explicitly sideloaded applications from acquiring Accessibility and Notification Listener permissions, often exploited by banking trojans.
SecuriDropper, however, strives to bypass this security constraint discreetly by camouflaging itself as an authorized application.
SecuriDropper’s – Prodigy
What distinguishes SecuriDropper is its unique approach to the installation procedure.
Stage 1
Unlike its predecessors, it leverages a distinct Android API to execute the installation process, closely mirroring the procedures employed by legitimate marketplaces to install new applications.
Specifically, it requests permissions to read and write data to external storage (READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE) while also seeking the ability to install and delete packages (REQUEST_INSTALL_PACKAGES and DELETE_PACKAGES).
Stage 2
In the second stage of the operation, victims are manipulated into clicking a “Reinstall” button within the app under the pretense of resolving a purported installation error. This cunning tactic facilitates the deployment of the malicious payload.
Banking Trojans Not Going Slow: We Need to Speed UP!
Android banking trojans, such as SpyNote and ERMAC, have been distributed via SecuriDropper on deceptive websites and third-party platforms like Discord.
Another dropper service named Zombinder, suspected to have been shut down earlier in the year, has been observed offering a similar workaround for the Restricted Settings feature.
However, it remains uncertain whether there is any link between the two tools.
Insights and Limitations
Mobile security has changed, and we all agree with that. With various manufacturers and operating systems, ensuring consistency is challenging.
And, with malware and trojans having advanced penetration capabilities, we need swift and efficient user compliance.
Despite OS updates and security settings, we often neglect to install updates promptly or take necessary precautions, such as using firewalls and VPNs. Human error remains a significant challenge.
With services like APT41 and DaaS, endpoint protection has become crucial. For organizations and individuals alike, being secure on mobile devices is essential.
Anas Hasan
November 7, 2023
6 months ago
