SecuriDropper [1] [2] [3] [4] [5] [6] [7], a newly discovered dropper-as-a-service (DaaS) for Android [1] [3] [7], exploits a vulnerability in Android’s “Restricted Settings” feature, enabling it to bypass Google’s security measures and deliver malware.


SecuriDropper disguises itself as a harmless app [1] [2] [3] [7], such as a Google app or an Android update [2], and uses a different Android API to install a payload on compromised devices [1] [3] [7]. It mimics the process used by marketplaces [1] [3] [7], allowing it to request permissions to read and write data to external storage [1], as well as install and delete packages [1]. The malicious payload [1] [3] [4] [7], which includes Android banking trojans like SpyNote and ERMAC [3], can then be distributed through deceptive websites and third-party platforms [3]. Another dropper service called Zombinder has also been observed offering a similar bypass for Restricted Settings [1]. Despite Android users having control over app permissions, SecuriDropper is able to bypass these security measures.


To combat these threats, Google Play Protect is designed to block apps known for exhibiting malicious behavior [3]. However, it is worth noting that this method of bypassing Restricted Settings is still present in Android 14, making SecuriDropper the first known case of this technique being used in cybercrime operations targeting Android users [5]. This highlights the need for ongoing efforts to enhance Android’s security measures and develop effective countermeasures against such attacks.