Cybersecurity researchers have exposed a new threat in the form of a dropper-as-a-service (DaaS) for Android called SecuriDropper. This Android malware bypasses Google’s security restrictions, enabling it to deliver malicious payloads.
Dropper malware serves as a bridge for installing payloads on compromised devices and has become a profitable business model for cybercriminals. By separating the development and execution of attacks from the malware installation process, adversaries can exploit evolving security measures to their advantage. Google introduced a security measure with Android 13 known as Restricted Settings, which restricts sideloaded apps from obtaining permissions that are frequently abused by banking trojans.
SecuriDropper evades this restriction by disguising itself as seemingly harmless apps, often mimicking legitimate installation procedures found on app marketplaces. This unique technical implementation distinguishes SecuriDropper from its predecessors, allowing it to operate undetected. The malware requests permissions for various actions, such as reading and writing data to external storage and installing and deleting packages. The malicious payload is then installed by prompting victims to click a “Reinstall” button on the app, thereby resolving a purported installation error.
Cybersecurity firm ThreatFabric noted that SecuriDropper has been observed distributing Android banking trojans like SpyNote and ERMAC via deceptive websites and third-party platforms such as Discord. Another similar dropper service, Zombinder, which offers a Restricted Settings bypass, has also been identified. It remains unclear whether there is any connection between these two tools.
As Android continues to evolve with each iteration, cybercriminals adapt and innovate to stay ahead. Dropper-as-a-Service (DaaS) platforms have emerged as powerful tools that enable malicious actors to infiltrate devices, distribute spyware, and deploy banking trojans. In response to the findings, Google stated that Restricted settings add an additional layer of protection by requiring user confirmation for apps to access Android settings/permissions.
Users maintain control over the permissions they grant to apps, and they are further protected by Google Play Protect, which can warn or block apps displaying malicious behavior. Google is continually enhancing Android’s defenses against malware to safeguard users.