Google last week released Android 13 in the stable channel. The latest Android version comes with advanced security measures for better protection against malware and other threats. However, it seems attackers have already identified a way to bypass the new security measures. Malware developers have been found working on a new exploit to circumvent the restrictions around accessibility services that Google introduced with Android 13.

Attackers are developing malware that can bypass Android 13 security

As Android Police notes, accessibility services make it easier for apps to gain access to private data. As such, it is one of the most used gateways for Android malware. To reduce malware risks, Google doesn’t give sideloaded apps access to accessibility services on Android 13. This is because bad actors may trick users to sideload malware-laden apps that ask for accessibility services permission.

However, apps downloaded from the Play Store can still have this access because it’s a legitimate Android service that developers use to make their apps more accessible. This exemption also applies to apps downloaded from trusted third-party app stores such as the Amazon App Store. Google says these stores have security measures in place to scan for malware. Attackers have found a loophole here.

According to security research firm ThreatFabric, hackers part of the Hadoken group are developing Android malware that builds on older malware. It comes in two parts to bypass Google accessibility services restrictions. Firstly, attackers make users install a “dropper” from a legitimate app store. This dropper acts like an app store of its own, hence Google exempts it from the restrictions. It then installs malware on the victim’s device without restrictions to accessibility services.

There are already workarounds to Google‘s restrictions on accessibility services for sideloaded apps. However, those workarounds are more complex than this two-step dropping of malware. Attackers simply need to trick Android users to download the “dropper” which will likely be disguised as some productivity or utility app.

Avoid granting apps access to accessibility services

According to ThreatFabric, the Hadoken group is still working on this malware project. The research firm is calling the in-development malware “BugDrop”. The same group also developed the Android Banking trojan Xenomorph and another dropper malware called Gymdrop. The common link between the three malware projects is Android’s accessibility services. So whenever you install an app, don’t grant it permission to use accessibility services unless it is an accessibility app. Also, avoid installing untrusted apps on your device.