Researchers discovered a previously undocumented Android dropper, dubbed BugDrop, which is still under development.
Recently, ThreatFabric researchers discovered a previously undetected Android dropper dubbed BugDrop that is under development and was designed to bypass security features that will be implemented in the next version of the Google operating system.
Experts noticed something unusual about the latest sample of the Xenomorph malware family, it was an enhanced version of the threat that included RAT capabilities using “execution modules”. Runtime modules allow malware to perform gestures, key presses, and other operations.
The new version of Xenomorph has been dropped by the BugDrop malware, which is capable of bypassing the security measures that Google is going to introduce to prevent malware from requesting Accessibility Services privileges from victims.
The dropper was developed by a cybercriminal group known as Hadoken Security, which is the same threat actor behind Android malware Xenomorph and Gymdrop.
The malicious app spotted by researchers poses as a QR code reader.
On launching the app, it will request accessibility services for user access to perform gestures and touches on behalf of the victim.
“Once granted, while displaying a loading screen, the dropper initiates a connection with its onion.ws C2, which is based on the Discrete protocol, retrieving its configuration and the URL of the payload to download and install. reads expert analysis. “Throughout our investigation, this URL changed from one of the samples in the open folder to an external URL again referring to the functionality of QR code scanners, which used an endpoint very similar to that used by Gymdrop samples we observed. in nature in recent months.
The presence of instructions in the dropper code to return error messages to C2 suggests that it is still under development.
Experts have noticed that starting with Android 13, Google is blocking Accessibility API access to apps installed outside of the official app store.
However, BugDrop attempts to circumvent this security measure by deploying malicious payloads through a session-based installation process.
“In this context, it is important to remember the new security features of Android 13, which will be released in the fall of 2022. With this new version, Google has introduced the “restricted framework” feature, which prevents loaded apps from requesting Accessibility Services privileges, limiting this type of request to apps installed with a session-based API (which is the method typically used by app stores). indicates the analysis. “With that in mind, it’s clear what the criminals are trying to accomplish. What is likely happening is that the actors are using already-built malware, capable of installing new APKs on an infected device, to test a session-based method of installation, which would then be incorporated into an account. – more elaborate and refined drops.
Once development of the new features is complete, BugDrop will provide attackers with new capabilities to target banking institutions and circumvent security solutions currently adopted by Google.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, BugDrop)