Bugdrop The First Malware Trying To Circumvent Google security Controls

Researchers have discovered a previously undocumented Android dropper trojan that is currently in development, indicating that malicious actors are still finding ways to circumvent Google Play Store security safeguards.

“This new malware attempts to abuse devices by spreading the perilous Xenomorph banking trojan, allowing criminals to perform On-Device Fraud on victim’s devices,” ThreatFabric’s Han Sahin said in a statement shared with The Hacker News.

The dropper app, dubbed BugDrop by the Dutch security firm, is explicitly designed to circumvent new features introduced in the upcoming version of Android that intends to make it harder for malware to request Accessibility Services privileges from victims.

ThreatFabric identified the dropper as belonging to the cybercriminal group “Hadoken Security,” which is also responsible for developing and distributing the Gymdrop and  XenomorphAndroid malware families.

Banking trojans are typically distributed on Android devices via innocuous dropper apps that masquerade as productivity and utility apps and, once installed, dupe users into granting invasive permissions.

innocuous dropper

Notably, the Accessibility API, which allows apps to read the contents of the screen and perform actions on the user’s behalf, has been heavily abused, allowing malware operators to collect sensitive data such as credentials and banking information.

This is accomplished through overlay attacks, in which the trojan injects a bogus lookalike login form retrieved from a remote server when the victim launches the desired app, such as a cryptocurrency wallet.

Xenomorph Overlay Configs

Given that most of these malicious apps are sideloaded – which is only possible if the user has allowed installation from unknown sources – Google has taken the step with Android 13 of completely blocking accessibility API access to apps installed from outside of an app store.

However, adversaries are still attempting to circumvent this restricted security setting. Enter BugDrop, a malicious payload deployment tool that poses as a QR code reader app and is being tested by its authors to deploy malicious payloads via a session-based installation process.

“What is likely happening is that actors are testing a session-based installation method on an infected device using an already built malware capable of installing new APKs,” the researchers said.

If the changes become a reality, banking trojans could become a more dangerous threat capable of bypassing security defenses even before they are in place.

“With the completion and resolution of all the issues currently present in BugDrop, criminals will have another efficient weapon in the war against security teams and banking institutions, defeating Google’s current solutions, which are clearly insufficient to deter criminals,” the company stated.

It is interesting to see that in one of the fake activities used by the dropper, specifically the one that should be used to send messages via the social messaging app WhatsApp, the default country code is set up to be +92, corresponding to Pakistan. This information could give an indication of the possible target area for the future of this dropper, but currently, there is not enough information to substantiate this claim.

Users are advised to avoid falling victim to malware hidden in official app stores by only downloading applications from known developers and publishers, scrutinizing app reviews, and checking their privacy policies.

3 thoughts on “Bugdrop The First Malware Trying To Circumvent Google security Controls”

  1. Your article gave me a lot of inspiration, I hope you can explain your point of view in more detail, because I have some doubts, thank you.

Comments are closed.

Scroll to Top