Skip to main content

Android 13 security feature designed to stop malware has already been bypassed

Android malware on phone
(Image credit: Shutterstock)

In Android 13, Google introduces new security measures to help protect users from malicious apps and other dangerous malware. However, it appears that hackers have already devised a way to bypass these new protections.

Security researchers at the fraud detection firm ThreatFabric have shed light on a new exploit in a blog post (opens in new tab). According to the post, the exploit can allow a malicious app to appear as an app store so that it can bypass Android 13's new security measures.

As reported by Android Police (opens in new tab), this new exploit builds on top of older malware that uses Android’s accessibility services to make it easier to access users’ private data, passwords and more.

Limiting access to Android’s accessibility services

Unlike in previous versions of Google’s mobile operating system, Android 13 no longer allows sideloaded apps to request access to a phone’s accessibility services.

Although there is currently a workaround that requires you to activate access under the app info screen, it could be removed by the search giant ahead of Android 13's wider release. (The updated software is available as an OTA update for Pixel phones.)

The reason Google decided to make it more difficult for sideloaded apps to gain access to accessibility services is due to the fact that malicious apps and other malware usually ask for additional permissions during installation. Now if you download an app from outside of an official app store, it will be harder for that app to access your contacts to spread spam or appear over other apps.

There is a catch though, as many people rely on accessibility services to make their devices more usable. All apps downloaded from the Play Store or third-party app stores like F-Droid, or the Amazon App Store are exempt from this restriction.

Using app stores to bypass Google’s security measures

Android 13 logo on a smartphone

(Image credit: Tom's Guide)

Allowing apps downloaded from official app stores to access accessibility services in Android 13 makes sense as, just like Google does on the Play Store, other official stores screen new apps to ensure they aren’t malicious by carefully checking their code.

However, malware developers from the Hadoken group are now using this to their advantage in the form of the new exploit discovered by ThreatFabric researchers, who have dubbed the exploit "BugDrop."

The exploit itself comes in two parts with the first part installing a "dropper" app that acts like an app store on a victim’s device. From here, a session-based package installation API is used to install another app that actually contains malware.

Fortunately, ThreatFabric says that this malware is still in the early stages and that at the moment, it’s incredibly buggy. Nevertheless, it could be used to infect smartphones with malware once more phone makers start rolling out their Android 13 updates.

How to stay safe when downloading new apps

First things first, you should never sideload apps on your Android smartphone and should instead download them from official app stores. However, bad apps do manage to slip through the cracks from time to time, which is why you should always look at an app’s reviews and ratings first.

At the same time, you should avoid installing apps you don’t really need and delete any apps you’re no longer using. Enabling Google Play Protect on your devices is another way you can stay safe since Google’s own Android antivirus app scans all of the apps you have installed for malware and other threats. 

When it comes to permissions, you should be wary of any app that asks for permissions it may not actually need such as being able to draw over other apps. Apps that request access to Android’s accessibility settings should also be treated with extra caution.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.