If you have a Pixel 4 or later, you can enjoy Android 13, the latest version of Google’s operating system, for a few days. Among its novelties we find its new visual language Material You, improvements in connectivity thanks to Bluetooth LE and many new functions focused on user security and privacy, among other things. However, although the company has further fortified its system, continues with some holes, and some have already detected them.

The accessibility permission has given more than one headache to Google and its users. It was the gateway for Flubot, the Trojan behind the SMS scam, and multiple apps that inject malicious code have taken advantage of this permission to fully control our mobile phone. Although in Android 13 this permission has been improved, there are those who have managed to violate it again through a more sophisticated method.

The accessibility permission returns to war in Android 13

When we install an application on an Android phone, they need certain permissions granted by the user and the system to perform certain functions. One of these permissions is accessibility, an Android tool designed so that users with certain physical or sensory disabilities can interact with the phone. However, by enabling this permission, the app can get to see, touch and collect all the data on the screensomething that comes in handy for any hacker for criminal purposes.

With the arrival of Android 13, Google restricted some aspects of this permission. And it is that the system now detects if an app was installed from an app store or from outside it. In this way, if it has been installed externally, the option to give it accessibility permission will be blocked.

Of course, this limitation comes in handy to protect the device from applications that are installed outside of the application stores through sideloading. But what happens if this restriction can be circumvented by modifying the APK? This is the issue that Threatfabric researchers have addressed, who have discovered a new malware that they have called BugDrop, an app that pretends to be a QR code reader.

A method that tricks the system to violate the restrictions

As soon as you run the app, a drop-down appears asking for accessibility permission. This is achieved through a modification in the APK code, hiding the package ‘com.secpro.androidapkupdater‘. said package manages to trick the system into believing that what has been installed is an app store. In this way, if the user ends up accepting the accessibility permission, the app would end up having full control of the device.

This method was recycled from old malware that had the ability to install APKs on the phone. Although in Android 13 it is not possible for an app from a third-party store to obtain accessibility permissions, the app can obtain this permission if includes in your code the use of a login-based API. This is achieved through the string ‘com.example.android.apis.content.SESSION API PACKAGE INSTALLED’, which is a method used by app stores.

At the moment, this malware is in an early stage of development, and no applications actively using it have yet been discovered. However, everything indicates that it will be one more weapon in the great arsenal that cybercriminals can use to violate the security of a mobile device.