The new security feature introduced for Android 13 tries to protect against malware infections but worries about the result of new research that has found a recently created payload designed to bypass those checks.
Researchers from cybersecurity firm Threat Fabric have discovered a new malware called BugDrop, which is a candidate to be the first to bypass the latest new security checks that Google rolled out in Android 13 less than a week ago.
BugDrop and Google security, the weak point is in the Accessibility Services
The recent publication of the details of Android 13 has brought with it numerous updates and among these also some technical improvements on the security side of mobile devices. Specifically, to protect smartphones based on the Google operating system and prevent malware infection that can take over the victim, it was decided to add a “Limited settings” function.
In fact, in most cases, the malware designed to target Android acts on the abuse of the functions offered by the Accessibility Services , which guarantee extremely high levels of user permissions and privileges on the device, useful for causing damage and data loss depending on the functionality of the malware you are using.
On Android 13, due out next fall, the Restricted Settings function will allow you to disable this granting of privileges to applications, thus seeking a solution to this escalation. As the Threat Fabric report highlights, however, in the cyber scenario there is already malware, still in its embryonic state, called that tries to circumvent this new security feature introduced.
How BugDrop malware works on Android 13
The BugDrop malware, just discovered and still under development which lacks many features to be considered usable, has attracted the attention of researchers in its implementation in a QR code reader app, which requires the grant immediately upon launch. of permissions on Accessibility Services. Alarm bell for a QR Code reader does not justify the use of these excessively high permissions, which would even allow you to manage touches and movements on the touch screen, instead of the user.
From the analysis of its structure, this malware presents code similar to another Android malware, from which it inherits some sources: Brox, its spread took place in the last months of 2021.
The most critical part of the malware is when the string ” com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED ” is used, the use of which is aimed at installing applications using the API session method, normally used by App Stores.
Returning in fact to the newly implemented “limited settings” feature on Android 13, please note that this works with restrictions for all apps that are not installed using this method, so for example those outside the Play Store.
“With that in mind, it’s clear what the criminals are trying to achieve. What is probably happening is that the actors are using pre-built malware, capable of installing new APKs on an infected device, to test a session-based installation method, which would then be incorporated into a more elaborate and refined dropper “, researchers warn.
The functionality of BugDrop seems to emulate the installation method, to complete the setup of malicious payloads, even when the user has enabled the restrictions and acts with the maximum privileges that can be granted, in any case. In this way, in fact, the device will recognize the installation method as legitimate and will not apply security restrictions.
The end result of this research is that once BugDrop’s operating problems are resolved and all implementations made, the new security measures designed for Android 13 by Google will not be sufficient to ward off a malware infection, leading to if once again some intrinsic risks also in the apparently legitimate applications on the Play Store
Catch up on more articles here
Follow us on Twitter here