Threat Actors Using Malware Loaders To Bypass Android 13+ Accessibility Restrictions

Cybercriminals have successfully circumvented Google’s Android 13 security enhancements designed to prevent malicious applications from abusing accessibility services, according to recent threat intelligence findings.

The tech giant implemented these restrictions specifically to block accessibility access for sideloaded applications, a measure that initially showed promise in reducing malware distribution that exploited this sensitive system feature.

However, threat actors have rapidly adapted their tactics by deploying sophisticated session-based package installers, effectively neutralizing Google’s protective measures and enabling continued deployment of malicious payloads.

This development represents a significant escalation in the ongoing cat-and-mouse game between platform security teams and cybercriminal organizations seeking to exploit mobile banking and financial applications.

Intel471 analysts identified that one of the most prominent examples of this evasion technique is TiramisuDropper, which has gained widespread adoption among operators of Android banking trojans including Hook, TgToxic, and TrickMo.

The loader’s effectiveness has made it a preferred tool for distributing various malware families across the underground ecosystem, demonstrating the adaptability and persistence of modern threat actors in overcoming platform-level security controls.

The implications of these bypass techniques extend far beyond individual device infections, as they enable large-scale fraud campaigns targeting financial institutions and their customers.

Traditional detection methods struggle to identify these loaders due to their sophisticated evasion capabilities and the legitimate appearance of their installation processes, creating significant challenges for both endpoint security solutions and mobile device management platforms.

Loader Distribution Mechanisms

The technical architecture underlying these accessibility restriction bypasses reveals a sophisticated understanding of Android’s security model and installation processes.

Data collected from April 4, 2024, to December 31, 2024, shows that TiramisuDropper facilitated the distribution of multiple malware families, with Hook accounting for 29.9% of observed infections, followed by TgToxic at 22% and TrickMo at 14.8%.

The above distribution breakdown shows the prevalence of banking-focused malware strains leveraging this loader technology.

The remaining infections comprised Coper (12%), Medusa (11.7%), Spynote (6.9%), and other variants including Tremendous and Ermac, collectively representing the diverse ecosystem of Android malware benefiting from these evasion techniques.

The emergence of the Brokewell Android loader in April 2024 further accelerated this trend when actor Samedit_Marais, also known as BaronSamedit, publicly released its source code on the Exploit cybercrime forum.

This open-source approach enabled widespread integration of accessibility bypass capabilities into existing malware frameworks, potentially triggering a significant increase in variants designed to evade Android’s defensive measures.

Security researchers anticipate that existing “dropper-as-a-service” providers will face substantial disruption as these bypass techniques become commoditized, forcing them to either cease operations or undergo significant restructuring to maintain competitive advantages.

This democratization of advanced evasion techniques represents a concerning trend that could substantially increase the volume and sophistication of Android malware campaigns targeting financial services and personal data.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests