Thursday, March 28, 2024

Researchers Bypassed Android 13’s New ‘Restricted Setting’ Security Feature

Android 13, the new version released by Google last week. The new Android 13 brings in various security upgrades and particularly Google has ‘restricted’’ the use of Accessibility Service in the new version.

However, Threat Fabric says they have successfully overcome these limitations and managed to avoid the new restrictions added in the new OS version.

Android 13’s Restricted Setting Feature

An Accessibility Service assists users with disabilities in using Android devices and apps. It is a long-running privileged service that helps users process information on the screen and lets them interact meaningfully with a device.

The beta version of Android 13 introduces a new approach to enabling AccessibilityService of applications installed from third-party sources. This new option is called “restricted settings”, which include AccessibilityService.

In earlier versions of Android, the malware found its way inside the devices or dropper apps available on the Play Store, which masquerade as legitimate apps. Therefore when the user installs such malware apps, it will prompt users to grant access to dangerous activities and drop the malicious payloads by abusing Accessibility Service privileges.

ThreatFabric researchers’ illustrated two proof-of-concept applications, one behaving like the droppers, while the second uses a different technique with a slight change in the installation process. Researchers managed to avoid the restricted settings in the second PoC application.

Bypassing Android 13’s restricted setting feature

Researchers at Threat Fabric have spotted a previously undocumented Android dropper trojan that’s currently in development.

“This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous Xenomorph banking trojan, allowing criminals to perform On-Device Fraud on victim’s devices,” ThreatFabric

Dubbed ‘Bugdrop’ the first malware trying to circumvent Google’s security Controls. It is designed to defeat new features introduced in the upcoming version of Android that aims to make it difficult for malware to request Accessibility Services privileges from victims.

This dropper features code similar to Brox, a freely distributed malware development tutorial project circulating on hacker forums, but with a modification in one string of the installer function.

“What drew our attention is the presence in the Smali code of the string “com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED,” explains Threat Fabric.

“This string, which is not present in the original Brox code, corresponds to the action required by intents to create an installation process by session.”

String that invokes session-based installation

Google introduced the “restricted setting” feature, which blocks side-loaded applications from requesting Accessibility Services privileges, limiting this kind of request to applications installed with a session-based API.

Mitigation

The company says “To realize the real impact and prevent losses a proper solution should be in place to gain visibility on the malware infecting customers’ devices”.

Therefore, appropriate on-device detection of malware also helps to gain visibility on distribution channels and proactively notify customers about new distribution campaigns to raise their awareness.

Continuous authentication based on behavioral biometrics is a great source of Ti-based risk score for every account and makes fraud detection and prevention easier for financial organizations.

Also Read: Download Free Secure Web Filtering – E-book

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles