The final version of Android 13 is already here, but the accessibility permission is the main Android Trojan horse: apps can completely control our device using it . As reported by ThreatFabric , a Trojan capable of bypassing the new limitations of Android 13 with this permission is already being worked on. Through the accessibility permit, notorious cases such as Flubot, the Trojan behind the SMS scam , have been suffered . This new malware works in an even more sophisticated way, but based on the same principle.
Accessibility permission is potentially dangerous
The accessibility permission, as its name suggests, is an Android tool designed so that users with certain disabilities can interact with the phone. By enabling this permission, the droidjack app can see, touch, and collect all screen data . In other words, you can have full control over the phone, since the original purpose is for the app to be able to perform the basic tasks that the user cannot perform. Although it is born with a good purpose, the permission is more than dangerous for security.
To try to partially solve the problem, with the arrival of Android 13 Google imposed some limitations. The system now detects if an app has been installed from an app store or from outside it. If it has been installed from outside, the option to give it accessibility permission will be blocked . Bypassing this limitation did not seem so difficult: getting your malicious APK installed from an app store.
Threatfabric researchers discovered a new malware called BugDrop , an app that pretends to be a QR code reader . As soon as you open it, the app asks for accessibility permissions. But how do you get it? This APK does not act like a normal APK, but its code hides a package called com.secpro.androidapkupdater , which manages to trick the system and act like an app store. Within this package, access to the accessibility permission is requested, and you can obtain it without any problem.
This method is inherited from old malware, which had the ability to install APKs on the device. In Android 13 this is achieved thanks to the string "com.example.android.apis.content.SESSION API PACKAGE INSTALLED", from this complex name you should only keep the word "Session". In Android 13, as we indicated, it is not possible for an app that has been loaded from outside to obtain accessibility permissions, but apps with a login-based API can (since this is the method used by app stores).
In other words? Android 13 does not really distinguish between what is an app store and what is not , it simply grants or not the possibility to access this permission depending on whether the app has been loaded from outside or if it uses the session-based API (a REST API). with token-based authentication).
This malware is still in an early stage of development , so there is no news about applications that are starting to infect with it globally. However, it jeopardizes the security of a system that promised to solve the problems of the famous accessibility permission.
No comments yet