Google released Android 13 in August, and hackers are already aiming to bypass the company’s latest security measures. A team of researchers has found an ongoing malware that uses a new technique to evade Google’s new restrictions on which apps can access accessibility services. Abusing accessibility services makes it easier for malware to snoop on passwords and private data, and is therefore one of the most used gateways for bad actors on Android.
To understand what’s going on, we need to look at Android 13’s new security measures before we dive in. Android 13 no longer allows sideloaded apps to request access to accessibility services unless you go out of your way to grant said app permission using a convoluted workaround. This is meant to protect against malware that some inexperienced person might have inadvertently downloaded from outside the Play Store, like a shady QR code scanner. Such an app would then typically ask users to allow it to use accessibility services, but that option is not readily available for apps from third-party app stores anymore.
Given that accessibility services are a legitimate option for apps like do wants to make phones more accessible to those who need it, Google doesn’t want to outright ban access to accessibility services for all apps. Apps downloaded from the Play Store are exempt from this block, as are any apps downloaded via a third-party app store other than the Play Store (think F-Droid or the Amazon App Store). This is done by exempting apps installed via the session-based package installation API from the accessibility services lock. Google’s reasoning here is that app stores typically vet applications they offer, so there’s already a line of defense in place. This exception is exactly what hackers are taking advantage of in the latest exploit.
As covered by ThreatFabric, malware developers who are part of the Hadoken group are working on a new exploit that builds on top of older malware that uses accessibility services to gain insight into personal data. Since it’s more difficult to access sideloaded apps on Android 13, the new malware comes in two parts. The first app the user installs is the “dropper”, which acts like an app store, and uses the same session-based package installation API to install the actual piece of malware without the limitations of enabling accessibility services.
While malware could still ask users to enable accessibility services for sideloaded apps, the solution to enable them is significant. It’s easier to trick users into enabling accessibility services with a single tap, which is what this new two-pronged attack accomplishes.
ThreatFabric notes that the malware is still in early stages of development and is still incredibly buggy and finicky at this point. That’s why the company decided to call the newly found malware “BugDrop”, since it’s not up to par with the rest of the hacker group’s code yet. Previously, the Hadoken group hatched another dropper project called Gymdrop, which also serves to distribute other malware. The group also created some banking software called Xenomorph. For all of these, Accessibility Services is the weak link, so whatever you do, don’t give an app permission to use Accessibility Services if it’s not an Accessibility app (with Tasker being a notable exception).