Hackers have found a way to bypass Android’s “Restricted Settings” and install malware on a victim’s devices.
Restricted Settings is a security feature first introduced in Android 13 that prevents apps downloaded from uncontrolled sources (i.e. places other than the Google Play Store or sideloaded apps) from accessing important Android settings, such as Accessibility or Notification Listener.
Apps that have been granted accessibility features can perform additional actions on the device, such as installing other apps, collecting text and other data, recording audio and video, and more. Almost all malicious apps require accessibility options to be enabled, which is one of the best possible red flags. Notification Listener does exactly what it appears to do, and hackers can use it to steal multi-factor authentication codes, especially those that arrive via SMS.
SecureDropper
A report from cybersecurity researchers ThreatFabric shows that the new malware is a dropper-as-a-service called SecuriDropper. Victims usually think they are downloading software updates, video apps, games or something similar. The first thing the app does is ask for read and write permissions to external storage, as well as install and uninstall packages, which allows the app to download and install additional apps.
It will then indicate that the app is not installed correctly (or requires an update) and display a Reinstall button that will download the second stage payload.
While these payloads may vary depending on the intended endpoint, researchers observed the SpyNote malware being dropped via SecuriDropper, as well as the Ermac banking trojan.
SpyNote can record keystrokes, exfiltrate call logs, extract data from installed apps and more. Removing it is also quite a job.
The best way to stay safe is to use common sense: only download apps from trusted sources and make sure they have plenty of downloads and good reviews. Also pay close attention to the permissions the apps request during installation. If these are excessive, it is most likely malware.
Through BleepingComputer