A group of hackers called Hadoken has developed a malware that can bypass one of the new security features of Android 13.
Android 13 prevents sideloaded apps from accessing the phone’s accessibility services. This became necessary because Google’s Accessibility API can be exploited by hackers to control the phone and steal sensitive data.
However, as ThreatFabric researchers discovered, the Hadoken app — which the researchers called BugDrop — bypasses new Android 13 prevention using Google’s session-based package installation API.
This is an API that allows applications such as the Amazon App Store to download and install other apps on the phone. In the case of Hadoken, the app that does this is a QR code reader that, when launched, downloads a payload using the session-based package installation API.
As we can see in the image below, Android 13 restricts the application’s access to the phone’s accessibility services, but does not block the downloaded code. Malware can still trigger and exploit the Accessibility API.
Hopefully Google finds a way to fix this hole that Hadoken is trying to exploit.
