Google introduced new security measures in Android 13. These measures would protect users’ computer systems from malware. The attackers already have a way to get the new protections.
ThreatFabric, which aims to prevent cybercriminalism by threats intelligence, described a new strategy, based on an existing malware attack (via Android Police). The new exploit disguises itself as a store for a quick bypass of new security measures. To fully understand what’s happening here, you should first look at what Google added in Android 13 so that you can protect its users.
According toAndroid Police, Google added a new security measure that prevents sideloaded apps (apps installed from outside of an app store) from requesting access to accessibility services. Accessibility services are a critical part of Android. While with various tools, smartphones can be used easily for handicapping people (such as screening devices for people with vision impairments).
Even with the accessibility allowing these services to fail, they are prone to abuse. This makes it easy for malware to snoop on private data, like passwords. ThreatFabric detailed some existing malware, such as the Xenomorph banking malware, which can view the things on display and capture private information such as log-in credentials.
Google’s new security measures restrict sideloading apps from requesting access services (there are, however, solutions to enable access services on sideloads, if you need). Because of the importance of accessibility, Google doesn’t like to ban a mobile app from using them, either. Unfortunately, Android 13 doesn’t block the access services for apps downloaded from the Play Store or other app stores. This exemption depends on the session-based package installer API.
Attentants who work with malware that act like a app store to bypass security risks of malware will exploit malware.
The reasoning here seems to be that app store operators vet their store platforms for malicious apps; so apps installed from these stores are likely safe. However, the session-based package installation API is also the main avenue of avoiding the new accessibility services security measures.
ThreatFabric says that developers of the Hadoken group are developing a two-part malware attack. First, you’re using a dropper app to create the app store. You then use the session-based package installation API to install a new package with the malware. This way, the second ap can bypass security and seek accessibility services.
Before you get in the mood, ThreatFabric said the malware is still very bad and is likely to be premature. We expect the Hadoken group to continue to work on this. Finally, the use of these techniques to prevent harmful things to come to Android devices can be more widespread.
The users should be careful when granting access to a smartphone.Android Police describe accessibility services as the weak link to numerous malwares. From this point of view, users only should get access to services available for trusted apps.
Those interested can read the description of the ThreatFabrics report here.
ThreatFabric Via: Android Police, Source: Police.