The ever-changing landscape of mobile security is a constant battle between security researchers and malicious actors.
As security measures are implemented, cybercriminals find new ways to bypass them.
One such instance is the introduction of Android 13’s “Restricted Settings” feature, designed to prevent unauthorized access to sensitive permissions.
The emergence of SecuriDropper and Zombinder, however, demonstrates that cybercriminals have discovered ways to get around this security measure.
SecuriDropper: A New Wave of Dropper-as-a-Service (DaaS)
SecuriDropper is a member of the Dropper-as-a-Service (DaaS) family, which has gained momentum in the cyber underground.
SecuriDropper uses a distinct installation process that resembles how official marketplaces install new applications, in contrast to its predecessors.
SecuriDropper gets around Android 13’s Restricted Settings feature by using certain permissions and a session-based installation method. This lets cybercriminals install malware payloads without being caught, we have learned from ThreatFabric Research.
SecuriDropper’s ability to distribute various types of malware, including spyware and banking Trojans, is a significant concern.
The dropper facilitates the deployment of SpyNote, a powerful spyware family that captures sensitive information such as text messages, call logs, and screen recordings.
Additionally, SecuriDropper has been observed distributing banking Trojans, designed to steal financial information and manipulate transactions, posing a significant threat to users’ financial security.
Zombinder: Bridging Legitimate Apps and Malicious Payloads
Zombinder is another innovative tool in the cybercriminal arsenal, offering a unique approach to bypassing Android 13’s defenses.
This service combines legitimate applications with malicious code, creating a covert delivery mechanism for malware.
While initially advertised for $1000 as a complete package, recent developments have revealed that Zombinder purchasers gain access to a dropper builder, aligning with the capabilities of SecuriDropper.
Although a direct connection between SecuriDropper and Zombinder is yet to be established, the similarities raise concerns about the evolving tactics employed by malicious actors.
Webinar on Cyber Resilience for Financial Sector
Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.
The Implications for Mobile Security
The emergence of SecuriDropper and services like Zombinder underscores the challenges faced by organizations and individuals relying on mobile channels.
As Android continues to enhance its security features, cybercriminals respond with innovative techniques to exploit vulnerabilities.
Dropper-as-a-service platforms have become potent tools for malicious actors, compromising users’ privacy and financial security.
For businesses and users alike, it is crucial to stay vigilant and informed about the latest developments in mobile security.
Regularly updating devices, avoiding sideloading applications from untrusted sources, and being cautious of unexpected prompts for sensitive permissions are essential to mitigating the risks posed by evolving threats like SecuriDropper and Zombinder.
Stay tuned for further updates as ThreatFabric researchers continue to monitor these evolving threats and their implications for the mobile security landscape.
Indicators of Compromise
SecuriDropper Samples
| HASH (SHA256) | APP NAME | PACKAGE NAME |
| 68234450d90668909697893a76fc4a0791b35ba3f7bfc4d9d14f2866706019f3 | com.appd.instll.load | |
| 2f64dd679494bdfba962bdc8ec6fb5e13ec4c754f12d494291442dc3e4862a93 | Chrome | com.appd.instll.load |
Dropped Payload Samples
SpyNote.
| HASH (SHA256) | APP NAME | PACKAGE NAME |
| 22630eee4fdf1958e6c98721f0ccc522b2413a6f6c49f315f34c45726bf18b2d | pole.pst.read |
Ermac.C
| HASH (SHA256) | APP NAME | PACKAGE NAME |
| 13daf7b94124c142d509b036516eb3d532c22696574d8cd5d65aa9d636c293a9 | Chrome | com.jakedegivuwuwe.yewo |
Patch Manager Plus: Patch over 850 third-party applications quickly – Try Free Trial.
%20(1).webp "Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence"){kind=small}
.webp "400k Linux Servers Hacked to Mine Cryptocurrency"){kind=small}
.webp "Ascension Healthcare Systems Hacked, Hospitals Diverting Emergency Service"){kind=small}