A dropper-as-a-service (DaaS) called ‘SecuriDropper’ uses a session-based installer to sideload malware, bypassing Android’s Restricted Settings feature introduced by Google in Android 13. The malware uses an Android API to mimic a marketplace’s installation process, preventing the operating system from identifying the payload as sideloaded. The dropper asks permissions to read and write to external storage, install and delete packages, and checks if the payload is installed on the device. If it is, it launches it, prompting the user to’reinstall’ the application. ThreatFabric has observed SecuriDropper delivering the SpyNote spyware family and the Ermac banking trojan.
About OODA Analyst
OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.