New malware bypasses one of the latest Android 13 security features
Tech companies vs hackers: a cat and mouse game. No, this is not a title for a new movie. This is the reality we live in. It's always the same deal: tech companies release a new piece of software, and hackers find ways to bypass its security measures. The latest confirmation of these words is the fact that a hacker group called Hadoken is already working on a new app with a built-in method that can bypass one of Android 13's new security features (via Android Police).
With Android 13, Google now prevents sideloaded apps from getting access to your phone's accessibility services. This became necessary because Google's accessibility API can be exploited by hackers to control your phone and steal important data like bank accounts, for example.
However, as the researchers from ThreatFabric found out, Hadoken's app — which the researchers named BugDrop — bypasses Android 13's new prevention using Google's session-based package installation API. This is an API that allows apps like the Amazon App Store to download and install other apps on your phone. In Hadoken's case, the app that does that — or like ThreatFabric says, "the dropper" — is a QR code reader, which, when launched, downloads a payload using the session-based package installation API.
Now, it looks like BugDrop is still in development because the team from ThreatFabric found out that the app doesn't request the "REQUEST_INSTALL_PACKAGES" permission, without which it can't install anything on your phone. However, this will probably soon change, so we hope that Google will find a way to fix the loophole, which Hadoken is trying to abuse. A cat and mouse game indeed.
However, as the researchers from ThreatFabric found out, Hadoken's app — which the researchers named BugDrop — bypasses Android 13's new prevention using Google's session-based package installation API. This is an API that allows apps like the Amazon App Store to download and install other apps on your phone. In Hadoken's case, the app that does that — or like ThreatFabric says, "the dropper" — is a QR code reader, which, when launched, downloads a payload using the session-based package installation API.
As we can see from the picture below, Android 13 restricts the app from accessing the phone's accessibility services, but it doesn't block the downloaded payload. The malware can still activate and exploit the accessibility API.
Now, it looks like BugDrop is still in development because the team from ThreatFabric found out that the app doesn't request the "REQUEST_INSTALL_PACKAGES" permission, without which it can't install anything on your phone. However, this will probably soon change, so we hope that Google will find a way to fix the loophole, which Hadoken is trying to abuse. A cat and mouse game indeed.
Things that are NOT allowed: