HQ/EMEAFind out how we can help your business
The new Android Dropper-as-a-Service (DaaS) called SecuriDropper is a malicious tool that could bypass Google’s latest security defences. Based on reports, this tool could provide its operators with seamless malware delivery to unsuspecting victims.
This dropper malware on the Android platform acts as an instrument that facilitates the installation of malicious payloads on compromised devices. It became prevalent among hackers since it evolved into a lucrative business model for cybercriminals who not only wield it themselves but also advertise its capabilities to other malicious groups.
In addition, this approach allows threat actors to disassociate the development and execution of an attack from installing the malware. Researchers explained that droppers and the actors behind them are in a constant state of evolution since they want to be one step ahead against evolving security measures.
Google counters SecuriDropper with a restriction setting.
Reports revealed that Google introduced a security measure with Android 13 known as Restricted Settings to address the SecuriDropper issue. This measure could allegedly restrict sideloaded apps from obtaining Accessibility and Notification Listener permissions, often exploited by banking trojans.
SecuriDropper emerges as an intelligent adversary to this security enhancement. It operates discretely, often disguised as seemingly harmless applications, evading detection. Some of the observed samples in the wild include app names like “com.appd.instll.load” and “com.appd.instll.load (Google Chrome).”
SecuriDropper’s unique distinction relied on its innovative installation procedure. It launches different Android APIs to install the new payload, effectively impersonating the process employed by legitimate marketplaces for app installations. This tactic involves requesting permissions to read and write data to external storage, as well as the ability to install and delete packages.
Subsequently, the attack will lure victims into clicking on a “Reinstall” button within the app to resolve a fake installation error, which facilitates the installation of the malicious payload.
Researchers have observed Android banking trojans like SpyNote and ERMAC leveraging SecuriDropper as a distribution vector via deceptive websites and third-party platforms like Discord.
These incidents showed that Android malware strains continue to adapt and be more lethal against security defences. Dropper-as-a-Service (DaaS) platforms like SecuriDropper have become potent weapons for malicious actors, allowing them to breach devices and distribute spyware and banking trojans with alarming ease.
