Tech companies vs hackers: a cat and mouse game. No, this is not a title for a new movie. This is the reality we live in. It's always the same deal: tech companies release a new piece of software, and hackers find ways to bypass its security measures. The latest confirmation of these words is the fact that a hacker group called Hadoken is already working on a new app with a built-in method that can bypass one of Android 13's new security features (via Android Police).
With Android 13, Google now prevents sideloaded apps from getting access to your phone's accessibility services. This became necessary because Google's accessibility API can be exploited by hackers to control your phone and steal important data like bank accounts, for example.
However, as the researchers from ThreatFabric found out, Hadoken's app — which the researchers named BugDrop — bypasses Android 13's new prevention using Google's session-based package installation API. This is an API that allows apps like the Amazon App Store to download and install other apps on your phone. In Hadoken's case, the app that does that — or like ThreatFabric says, "the dropper" — is a QR code reader, which, when launched, downloads a payload using the session-based package installation API.
Recommended For You
As we can see from the picture below, Android 13 restricts the app from accessing the phone's accessibility services, but it doesn't block the downloaded payload. The malware can still activate and exploit the accessibility API.
Now, it looks like BugDrop is still in development because the team from ThreatFabric found out that the app doesn't request the "REQUEST_INSTALL_PACKAGES" permission, without which it can't install anything on your phone. However, this will probably soon change, so we hope that Google will find a way to fix the loophole, which Hadoken is trying to abuse. A cat and mouse game indeed.
Holiday special: Iconic Phones is now 10% off!
Our new coffee table book, Iconic Phones, is a stunning visual tribute to the legends in the world of phones, featuring exclusive high-resolution photography, stories, quotes and fun trivia. Save 10% by using this code at checkout: XMAS10. Offer lasts until 1 January 2026.
Preslav Mladenov is a News and Affiliate Content Writer at PhoneArena who started on his tech journalism journey in December 2021. With persistent knack for finding the best deals out there, he swiftly became a pivotal Affiliate Content Writer, guiding readers towards significant savings on a plethora of gadgets, including smartphones, smartwatches, tablets, Bluetooth speakers, and headphones. Mladenov's deep-seated knowledge of mobile tech, paired with a rich background in sales, empowers him to unearth the finest deals on the web.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts:
New accounts created within the last 24 hours may experience restrictions on how frequently they can
post or comment.
These limits are in place as a precaution and will automatically lift.
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: