Android 13 brought new security measures, but malware can bypass it

Android 13 restricts which apps can request accessibility services, but new malware acts as an app store to get around the change

Android 13 logo on phones

Google rolled out new security measures in Android 13 to protect users from malware, and attackers have already come up with a way to work around the new protections.

ThreatFabric, which seeks to prevent fraud and cybercrime via threat intelligence, detailed a new exploit that builds on top of existing malware (via Android Police). The new exploit effectively disguises itself as an app store to bypass new security measures. However, to fully understand what’s going on here, you first need to look at what Google added in Android 13 to protect users.

According to Android Police, Google added a new security measure that prevents sideloaded apps (apps installed from outside of an app store) from requesting access to accessibility services. Accessibility services are an important part of Android, offering various tools to make smartphones easier to use for people with disabilities (for example, screen readers for people with visual impairments).

However, the nature of accessibility services means they’re vulnerable to abuse, making it easy for malware to snoop on private data, like passwords. ThreatFabric detailed some existing malware, such as the ‘Xenomorph‘ banking malware, which uses accessibility services to view what’s on screen and capture personal information like log-in credentials.

Hence Google’s new security measures, which block sideloading apps from requesting accessibility services (there is, however, a convoluted way to enable accessibility services on sideloaded apps if you need to do so). Given how important accessibility services can be, Google doesn’t want to outright ban apps from using them either. As such, Android 13 doesn’t block accessibility services for apps downloaded from the Play Store or other app stores — this exemption relies on the ‘session-based package installation API.’

Attackers working on malware that acts like an app store to bypass security

The reasoning here seems to be that app store operators vet their store platforms for malicious apps, and so apps installed from these stores are likely safe. However, the session-based package installation API is also the main avenue for bypassing the new accessibility services security measures.

ThreatFabric notes that developers with the ‘Hadoken group’ are developing a two-part malware exploit. The first part involves installing a ‘dropper’ app that acts like an app store. It then uses the session-based package installation API to install another app, which contains the malware. Because of this approach, the second app is able to bypass the security measures and request accessibility services.

Before you panic, ThreatFabric said the malware is still very buggy and likely still early in development. However, it expects the Hadoken group to keep working on it, and it sounds like this style of getting malware onto Android devices could become more common.

Users should be extra careful when granting accessibility services to an app. Android Police describes accessibility services as the “weak link” for a variety of malware. As such, users should only grant access to accessibility services to trusted apps.

Those interested can read all the details in ThreatFabric’s report here.

Source: ThreatFabric Via: Android Police