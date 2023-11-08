A dropper-as-a-service (DaaS) called ‘SecuriDropper’ uses a session-based installer to sideload malware, bypassing Android’s Restricted Settings feature introduced by Google in Android 13. The malware uses an Android API to mimic a marketplace’s installation process, preventing the operating system from identifying the payload as sideloaded. The dropper asks permissions to read and write to external storage, install and delete packages, and checks if the payload is installed on the device. If it is, it launches it, prompting the user to’reinstall’ the application. ThreatFabric has observed SecuriDropper delivering the SpyNote spyware family and the Ermac banking trojan.

