In cybersecurity, you always have to keep your guard up. Threat actors never stop working when it comes to planning ways to wreak havoc. A recent example of this comes from a previously undocumented Android dropper trojan that is currently in development. The trojan is used to find ways to work around Google Play security protections.

“This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous Xenomorph banking Trojan, allowing criminals to perform On-Device Fraud on victim’s devices,” says Han Sahin of ThreatFabric.

Named “BugDrop”, the dropper app is designed to defeat new features introduced in the upcoming version of Android that aim to make it difficult for malware to request Accessibility Services privileges from victims.

ThreatFabric attributed the dropper to a cybercriminal group known as “Hadoken Security,” which is also responsible for the creation and distribution of the Xenomorph and Gymdrop Android malware families.

Banking Trojans are typically deployed on Android devices through dropper apps that pose as productivity and utility apps. Once installed, these apps trick users into granting invasive permissions.

The accessibility API, which lets apps read the contents of the screen and perform actions on behalf of the user, has received heavy abuse, enabling malware operators to capture sensitive data such as credentials and financial information.

This is achieved by overlay attacks. An overlay attack is when a Trojan injects a fake lookalike login form retrieved from a remote server when a desired app such as a cryptocurrency wallet is opened by the victim.

Most of these malicious apps are sideloaded, something that is only possible when the user allows installation from unknown sources. With Android 13, Google has taken steps to entirely block accessibility API access to apps installed from outside of an app store.

That has not stopped adversaries from attempting to get around these restricted security settings. This is where BugDrop comes in. BugDrop masquerades as a QR code reader app and is being tested by its authors to deploy malicious payloads by a session-based installation process.

“What is likely happening is that actors are using an already built malware, capable of installing new APKs on an infected device, to test a session-based installation method, which would then later be incorporated in a more elaborate and refined dropper,” the researchers said.

The changes, should it become a reality, could make banking Trojans a more dangerous threat capable of bypassing security defenses before they are even in place.

“With the completion and resolution of all the issues currently present in BugDrop, criminals will have another efficient weapon in the war against security teams and banking institutions, defeating solutions that are currently being adopted by Google, which are clearly not sufficient to deter criminals,” the company noted.

To avoid becoming a victim of hidden malware in official apps stores, it is recommended that you only download apps from known developers and publishers, scrutinize app reviews, and check privacy policies.

Story via The Hacker News