Why users should avoid downloading APK files on Android devices

A new cybercrime operation was found using methods that bypass “Restricted Settings” feature on Android devices to install malware capable of capturing on-screen text, gaining permission and stealing data

November 07, 2023 02:03 pm | Updated 03:07 pm IST

A new cybercrime operation named “SecuriDropper” was found using a method that bypasses the “Restricted Settings” feature in Android devices.

A new cybercrime operation named “SecuriDropper” was found using a method that bypasses the “Restricted Settings” feature in Android devices. | Photo Credit: Reuters

A new cybercrime operation named “SecuriDropper” was found using a method that bypasses the “Restricted Settings” feature in Android devices to install malware and obtain access to Accessibility Services.

The method used by cybercriminals is still present in Android 14 and uses session-based installation API for the malicious APK (Android package) files, which installs them in multiple steps, involving a “base” package and various “split” data files, a report from Bleeping Computer said.

The malware was found to infect Android devices by using legitimate apps, often impersonating a Google app, Android update, video player, security app or a game to lay the groundwork for a second payload to be delivered to devices. The second payload carries the malware.

The second stage of delivering the malware includes deceiving users by prompting them to click on a “Reinstall” button after displaying a fake error message about the APK files installation.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

Once infected, the malware can abuse the Accessibility settings to capture on-screen text, granting additional permissions, and performing navigation actions remotely. The malware can also abuse the Notification Listener to steal one-time passwords.

Restricted Settings was introduced in Android 13 and is designed to prevent side-loaded applications (applications that are not available on Google Platy Store and are installed using APK files) from accessing powerful feature like the Accessibility settings and Notification Listener. Access to these features is commonly abused by malware to compromise the security on Android devices.

The cybercrime operation was also found to be using Android Dropper-as-a-Service. Android Droppers impede malware detection at the downloading stage and neutralise the system’s defences before installing the malware. This helps the malware access settings and permissions, it would otherwise be barred from accessing.

To protect against such attacks, Android users are advised to avoid downloading APK files from unknown sources or publishers they do not trust. Users can further check the permissions granted to installed apps and revoke them. Users can access permission settings by going to Settings then App, selecting the app and reviewing app permissions.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.