"The Dutch mobile security firm said the change is driven by recent security protections that Google has piloted in select markets like Singapore, Thailand, Brazil, and India to block sideloading of potentially suspicious apps requesting dangerous permissions like SMS messages and accessibility services, a heavily abused setting to carry out malicious actions on Android devices. "Google Play Protect's defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run," the company said. "Second, actors want to future-proof their operations.""
""By encapsulating even basic payloads inside a dropper, they gain a protective shell that can evade today's checks while staying flexible enough to swap payloads and pivot campaigns tomorrow." ThreatFabric said that while Google's strategy ups the ante by blocking a malicious app from being installed even before a user can interact with it, attackers are trying out new ways to get around the safeguards -- an indication of the endless game of whack-a-mole when it comes to security."
Dropper apps are increasingly used to distribute not only banking trojans but also simpler malware such as SMS stealers and basic spyware. These droppers often masquerade as government or banking apps in India and parts of Asia. Recent security measures target sideloaded apps requesting dangerous permissions like SMS access and accessibility services. Attackers now encapsulate payloads inside droppers that avoid requesting high-risk permissions and display a harmless "update" screen. The actual malicious payload is fetched or unpacked only after a user clicks Update, at which point it requests the permissions needed to execute its functions.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]