Sunday, May 18, 2025
HomeAndroidResearchers Bypassed Android 13's New 'Restricted Setting' Security Feature

Researchers Bypassed Android 13’s New ‘Restricted Setting’ Security Feature

Published on

SIEM as a Service

Follow Us on Google News

Android 13, the new version released by Google last week. The new Android 13 brings in various security upgrades and particularly Google has ‘restricted’’ the use of Accessibility Service in the new version.

However, Threat Fabric says they have successfully overcome these limitations and managed to avoid the new restrictions added in the new OS version.

Android 13’s Restricted Setting Feature

An Accessibility Service assists users with disabilities in using Android devices and apps. It is a long-running privileged service that helps users process information on the screen and lets them interact meaningfully with a device.

- Advertisement - Google News

The beta version of Android 13 introduces a new approach to enabling AccessibilityService of applications installed from third-party sources. This new option is called “restricted settings”, which include AccessibilityService.

In earlier versions of Android, the malware found its way inside the devices or dropper apps available on the Play Store, which masquerade as legitimate apps. Therefore when the user installs such malware apps, it will prompt users to grant access to dangerous activities and drop the malicious payloads by abusing Accessibility Service privileges.

ThreatFabric researchers’ illustrated two proof-of-concept applications, one behaving like the droppers, while the second uses a different technique with a slight change in the installation process. Researchers managed to avoid the restricted settings in the second PoC application.

Bypassing Android 13’s restricted setting feature

Researchers at Threat Fabric have spotted a previously undocumented Android dropper trojan that’s currently in development.

“This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous Xenomorph banking trojan, allowing criminals to perform On-Device Fraud on victim’s devices,” ThreatFabric

Dubbed ‘Bugdrop’ the first malware trying to circumvent Google’s security Controls. It is designed to defeat new features introduced in the upcoming version of Android that aims to make it difficult for malware to request Accessibility Services privileges from victims.

This dropper features code similar to Brox, a freely distributed malware development tutorial project circulating on hacker forums, but with a modification in one string of the installer function.

“What drew our attention is the presence in the Smali code of the string “com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED,” explains Threat Fabric.

“This string, which is not present in the original Brox code, corresponds to the action required by intents to create an installation process by session.”

String that invokes session-based installation

Google introduced the “restricted setting” feature, which blocks side-loaded applications from requesting Accessibility Services privileges, limiting this kind of request to applications installed with a session-based API.

Mitigation

The company says “To realize the real impact and prevent losses a proper solution should be in place to gain visibility on the malware infecting customers’ devices”.

Therefore, appropriate on-device detection of malware also helps to gain visibility on distribution channels and proactively notify customers about new distribution campaigns to raise their awareness.

Continuous authentication based on behavioral biometrics is a great source of Ti-based risk score for every account and makes fraud detection and prevention easier for financial organizations.

Also Read: Download Free Secure Web Filtering – E-book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...