Bug Drop, Malware That Can Bypass Android 13 Sideload Security

“Guys, I thought we were in a hurry. And Diego, spit that out. You don’t know where it’s been.”

–Manny the Mammoth, Ice Age (2002)

That’s what Google says about sideloaded apps, unless they’re still in development and testing of course. Sideloaded apps can be dangerous especially those not found in Google Play and could have been laced by malware. That’s not to say that Google Play isn’t exactly an oasis of secure apps. Google Play itself is a paradise for droppers—apps that may look legit or functions legitimately but actually have malware payloads themselves.

Android 13 has a new security feature that restricts the use of the ever abused AccessibilityService used by malware to do stuff in the background. Android 13 seeks to cripple mobile malware by blocking sideloaded apps from prompting users to grant AccessibilityService privileges. 

This restriction is targeted at apps not sourced through Google Play. It’s a good feature on the surface which protects many casual users who download only popular apps and games through Google Play. Basically, the same sort of benefit from subscribing to a walled garden. Sideloading apps however carries some risk, but Prior to Android 13, they aren’t restricted in any way apart from the usual warning about installing apps from other sources.

In short, the risk of malware that makes use of AccessibilityService privileges from sideloaded apps is mitigated. Again, that won’t stop such apps sourced from Google Play, but it’s a start. But there’s no stopping users from sideloading, right? And malware authors who like a challenge, will still get around this restriction.

There was a series of Star Trek novels where captains of all the eras had to deal with a singular threat. The approach taken during the Next Generation era was infecting the Federation with a virus that came out of nowhere despite anti-microbe transporter trace technology. It turns out that the disease was spread through prions that gradually assemble themselves to make a complete virus. This is the approach taken by a new Android malware to bypass Android 13s new security measure against sideloaded apps.

Researchers from security firm ThreatFabric created a proof of concept dropper to bypass the new feature. And while doing this, they also discovered that a hacker group known as the Hadoken Group is already working on such a solution codenamed BugDrop.

This solution involves a multi-staged installation of the malware through session-based installation. The APK for the malware is split into smaller pieces. Through this method, Android won’t see the installation as sideloading.

“…When fully implemented, this slight modification would circumvent Google’s new security measures fully, even before they are effectively in place…”

–Threat Fabric

BugDrop however is still a work in progress according to the research firm. But once released, this will enable the installation of malware that can still access AccessibilityService privileges and work in the background. Malware that can create fake screens of chosen known banking and finance apps, crypto wallets and steal users’ credentials.