SecuriDropper Mobile Malware Manages to Dodge Detection

Cybersecurity experts have unveiled a new Android dropper service known as SecuriDropper, which circumvents Google's latest security restrictions and delivers malware.

Dropper malware for Android is designed to act as a conduit for installing malicious payloads on compromised devices, making it a profitable model for cybercriminals who can showcase their capabilities to other criminal groups. This approach also allows adversaries to separate the attack's development and execution from the actual malware installation process.

According to a report by Dutch cybersecurity company ThreatFabric, droppers and those responsible for them are constantly evolving to outsmart advancing security measures. Google introduced a security feature in Android 13 called Restricted Settings, which aims to prevent sideloaded applications from acquiring Accessibility and Notification Listener permissions that are often exploited by banking trojans.

SecuriDroppers's Mode of Operation

SecuriDropper attempts to bypass this protective barrier without detection by disguising the dropper as an innocuous app. Some observed samples in the wild include app names like "com.appd.instll.load" in Google and Google Chrome.

ThreatFabric highlighted what sets SecuriDropper apart is its technical approach to the installation process. Unlike its predecessors, this family employs a different Android API to install the new payload, mimicking the process used by app marketplaces to install new applications.

Specifically, this involves requesting permissions to read and write data to external storage (READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE) as well as the ability to install and delete packages (REQUEST_INSTALL_PACKAGES and DELETE_PACKAGES).

In the second stage, the installation of the malicious payload is facilitated by urging victims to click a "Reinstall" button in the app, supposedly to resolve an installation error.