{
	"id": "2a38200f-33ca-4449-951c-f2bb5e008683",
	"created_at": "2026-04-06T00:21:03.080419Z",
	"updated_at": "2026-04-10T03:30:33.359439Z",
	"deleted_at": null,
	"sha1_hash": "eedf9565eb35c96634000fe0307e04b4e982648b",
	"title": "BugDrop: the first malware trying to circumvent Google's security Controls",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1114915,
	"plain_text": "BugDrop: the first malware trying to circumvent Google's security\r\nControls\r\nPublished: 2024-10-01 · Archived: 2026-04-05 19:20:04 UTC\r\nIntro\r\nBetween 2020 and 2021, the Android malware epidemic took over the banking threat landscape. Families like Anatsa\r\nand Cabassous spread to thousands of victims by international SMiShing campaigns, coupled with various kinds of\r\nweb phishing pages to trick users into downloading malicious APKs.\r\nIn 2022, this trend was confirmed, with a heavy switch in distribution techniques in favour of droppers, Android\r\napplications whose sole purpose is to bypass security measures used in official market places like Google Play\r\nStore, and deploy they payload, which is usually an Android banking trojan.\r\nAndroid Droppers are becoming the most reliable and preferred way to deploy malware on victim’s devices. Google\r\nhas taken action to restrict the amount of privileges that sideloaded applications can obtain starting from Android 13,\r\nbut, as we covered in our last blog, this solution seems to not be enough to stop criminals from downloading and\r\nenabling all the necessary privileges and permissions on their malware.\r\nRecently, ThreatFabric’s predictions became true, when we discovered an in-development dropper, which we\r\nnamed BugDrop, that criminals have been working on to circumvent this security feature that will become part of\r\nthe next release of the mobile OS from Mountain View.\r\nOnce finished, this product would become another weapon in criminal’s already dangerous arsenal, potentially\r\nrendering Google’s solution obsolete even before its deployment.\r\nContext\r\nRecently, in their daily monitoring of Android malware activity, our researchers noticed something unusual in the\r\nlatest sample of the malware family Xenomorph.\r\nThis malware family has been resurfacing in the last couple of months with a few campaigns, mostly appearing on\r\nGoogle Play Store. These new campaigns feature a new and improved version of Xenomorph, which added RAT\r\ncapabilities thanks to the addition of a handful of, as they are named in the code itself, “Runtime modules”. These\r\nmodules give the malware the capability of performing gestures, touches, and much more on an infected device.\r\nWhat sparked our researchers’ curiosity was the presence, among the targets returned by the C2, of a Russian\r\napplication. Usually it is very rare for banking malware to target CIS countries, mostly due some sort of twisted code\r\nof honor among criminals from that region. For this reason ThreatFabric decided to investigate further.\r\nIn the case of Xenomorph, after installation, the bot will always request overlays from the C2, which will send back\r\nan encrypted JSON configuration, with the URLs where the overlays are hosted. Below you can see the decrypted\r\nresult returned from the server, together with the overlay itself.\r\nhttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nPage 1 of 10\n\nAs you can see, the highlighted overlay is the one corresponding to the Russian organization. However, the overlay\r\nitself corresponds to a famous Spanish institution. What was very interesting and started a more detailed\r\ninvestigation, was the fact that the server hosting this specific overlay was different from the one hosting all the\r\nothers. We simply tried to connect to the server, and were welcomed with a nice open folder.\r\nThe “Hadoken Security” Group\r\nBefore analyzing the content of this folder, it is worth mentioning where it is hosted. The main domain redirects to\r\nthe following page, containing a post, apparently posted on the 31st of May 2022.\r\nIn this post, which seems to be a self-advertisement message, the “Hadoken Security” group claims the ownership\r\nof multiple malware families, including the Android Banking trojan Xenomorph and the Dropper Gymdrop, and\r\nunfortunately even uses ThreatFabric own blogs as reference:\r\nhttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nPage 2 of 10\n\nComing back to the investigation, the open folder contained a few different interesting files. In addition to the\r\npreviously mentioned Spanish overlay, and another overlay targeting Gmail, three APKs were available for\r\ndownload. Two of these were different Xenomorph samples belonging to two different campaigns (the “Task\r\nScheduler” campaign and the “Android Settings” campaign).\r\nHowever, the third APK sample, which poses as a QR code reader, looked different from the others. Based on\r\nXenomorph known Modus Operandi, our best guess was for this to be a dropper, likely of the Gymdrop family,\r\nwhich has been previously associated with this Banking malware and to the Threat Actor group behind it.\r\nBugDrop: A Dropper Trying to Bypass Google Security\r\nThe application poses as a QR code reader, much like many other droppers that ThreatFabric has seen and reported\r\nover the past couple of years.\r\nIt is interesting to see that in one of the fake activity used by the dropper, specifically the one that should be used to\r\nsend messages via the social messaging app WhatsApp, the default country code is set up to be +92, corresponding\r\nto Pakistan. This information could give an indication of the possible target area for the future of this dropper, but\r\ncurrently we do not possess enough information to substantiate this claim.\r\nhttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nPage 3 of 10\n\nOnce started, the application immediately requests the Accessibility Services access to the user. This is already a red\r\nflag, as this kind of services grant applications the ability to perform gestures and touches in the user’s stead. No QR\r\ncode reader should require these kind of priviliges. In addition, it bars out the possibility of this sample being part of\r\nthe Gymdrop family, as this dropper family does not rely on Accessibility Services to install malware on victim’s\r\ndevices.\r\nOnce granted, while showing a loading screen, the dropper initiates a connection with its onion.ws C2, which relies\r\non the TOR protocol, obtaining back its configuration and the URL of the payload to download and install.\r\nThroughout the course of our investigation, this URL changed from being one of the samples in the open folder, to an\r\nexternal URL again referring to QR code scanners functionalities, which used a endpoint very similar to what was\r\nused by Gymdrop samples that we observed in the wild in the last few months.\r\nhttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nPage 4 of 10\n\nThe file downloaded in both cases was still belonging to the Xenomorph family.\r\nThis is where it becomes clear that this dropper and the actors behind it are still in deep development phase. In the\r\nimage below you can see the error message sent back to the C2 by the bot:\r\nThe clear issue here is that the APK is not requesting the “REQUEST_INSTALL_PACKAGES” permission to the\r\nOS, without which it is impossible for a application to install anything on the device (even with accessibility services\r\nprivileges), as it is even pointed out by the error message sent back to the Onion C2 by the bot.\r\nhttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nPage 5 of 10\n\nA few hours after the discovery of the open folder, criminals noticed the issue, also due to a tweet thread that drew\r\nthe attention of a few researchers, and blocked the access to the data.\r\nA page out of Brox tutorial manual\r\nAs it is clear, this dropper-in-development is a new product from the actors behind Xenomorph. Most of its malicious\r\nbehaviour is contained in a package named com.secpro.androidapkupdater. If this activity name rings a bell, it is\r\nbecause it is borrowed from as a lesser known malware, named Brox. Brox (also known as MasterFred) is a Android\r\nmalware family that was created and distributed on hacking forums as a mean to teach malware development to\r\ncriminals. The actors behind it offered a full paid course to teach the basics of malware development, including\r\naccess to panels and support in the management and abuse of the botnet. This malware family briefly resurfaced\r\ntowards the end of 2021, where it was also named MasterFred, but with just a handful of samples.\r\nThis QR code reader seems to be a slightly modified version of the original Brox code, with a just a slightly tweaked\r\ncommunication protocol.\r\nIn this case, during the setup, criminals forgot to hide the sign-up page to the panel, which, in good tutorial fashion,\r\ndoes not have any specific requirement for access, which allowed us to have a nice view of the panel itself, together\r\nwith some information on the amount of infections for this in-development dropper. We assume that this number is\r\nmostly made of testing devices (both from criminals as well as researchers alike).\r\nhttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nPage 6 of 10\n\nIt is possible that this specific panel is simply automatically set-up from the tutorial code of Brox, as there does not\r\nseem to be much activity or capabilities enabled from this panel.\r\nThis malware family was known previously as an overlaying Android malware, but had always the capability of\r\ninstalling other APKs on the device. It seems like this is the primary purpose of the malware when deploying\r\nXenomorph, while relying on a C2 server structure very similar to the one used by Gymdrop, which is as discussed\r\nanother product of the Hadoken group.\r\nCurrently we do not see any banking malware activity coming from these samples, despite the fact that they do\r\nfeature code capable of performing overlay attacks as well.\r\nA brand new technique to bypass Google’s Security Measures\r\nThe most interesting fact about this new Brox sample is the methodology used to install the APK downloaded from\r\nthe server. The code is not fully functional, and some of the references seem to be missing, but one string in the\r\ninstaller function stands out among others. You can find the mentioned function in the following code snippet:\r\n.method public constructor \u003c init \u003e (Context, String, c) V.registers 6 invoke - direct Object - \u003e \u003c init \u003e () V, p\r\ninvoke - static h - \u003e a(String) String, v0const - string v0, \"~~~\"\r\nconst -string v1, \"4.Update\"\r\ninvoke - static Log - \u003e d(String, String) I, v0, v1iput - object p1, p0, g - \u003e a: Contextiput - object p2, p0, g -\r\ninvoke - virtual StringBuilder - \u003e append(String) StringBuilder, p1, p3invoke - virtual StringBuilder - \u003e append(St\r\nWhat drew our attention is the presence in the Smali code of the\r\nstring “com.example.android.apis.content.SESSION_API_PACKAGE_INSTALLED”. This string, which is not\r\npresent in the original Brox code, corresponds to the action required by intents to create an installation process by\r\nsession.\r\nhttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nPage 7 of 10\n\nIn this context, it is important to remind the new security features of Android 13, which will be released in fall of\r\n2022. With this new release, Google introduced the “restricted setting” feauture, which blocks sideloaded\r\napplications from requesting Accessibility Services privileges, limiting this kind of request to applications installed\r\nwith a session-based API (which is the method usually used by app stores).\r\nWith this in mind, it is clear what criminals are trying to achieve. What is likely happening is that actors are using an\r\nalready built malware, capable of installing new APKs on an infected device, to test a session based installation\r\nmethod, which would then later be incorporated in a more elaborate and refined dropper.\r\nThis is very dangerous, and in line with what ThreatFabric predicted in our previous blog “2022 Mobile Threat\r\nLandscape update”. When fully implemented, this slight modification would circumvent fully Googles new security\r\nmeasures, even before they are effectively in place.\r\nConsidering that the Hadoken Group has very kindly adopted our naming for all of their products, we decided to\r\nname this dropper “BugDrop”, in honor of all the issues that are present in its codebase.\r\nConclusion\r\nThe Hadoken group has been active since at least the end of 2021, starting with their dropper product, Gymdrop, and\r\nin early 2022 they introduced their first Android banking malware, Xenomorph. Both these malware families have\r\nbeen proven to be high threats to banking institutions and banking customers alike, the first being used by multiple\r\nmalware families as a mean of distribution, while the second being a very advanced Banking trojan with On-Device\r\nFraud capabilities.\r\nWith the completion and resolution of all the issues currently present in BugDrop, criminals will have another\r\nefficient weapon in the war against security teams and banking institutions, defeating solutions that are currently\r\nbeing adopted by Google, which are clearly not sufficient to deter criminals.\r\nhttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nPage 8 of 10\n\nThreatFabric expects the Hadoken group to continue working on this dropper family, or more generally to develop\r\nand start distributing a dropper family abusing the Session driven installation, to bypass Google new Security\r\nfeatures.\r\nThreatFabric Fraud Risk Suite\r\nWith our Fraud Risk Suite we are helping financial institutions to gain visibility on fraud attempts by mobile\r\n(banking) malware. If you would like to know more about how we use our fraud detection SDK to detect any type of\r\nfraud on mobile devices, feel free to reach out to sales@threatfabric.com.\r\nAppendix\r\nXenomorph Samples\r\nApp\r\nname\r\nPackage name SHA-256\r\nAndroid\r\nSecurity\r\nService\r\ndeceva.lgmihi.wtcozl ab345951a3e673aec99f80d39fa8f9cdb0d1ac07e0322dae3497c237f7b37277\r\nTask\r\nScheduler\r\nwyrkpv.slyffg.berykl 65c655663b9bd756864591a605ab935e52e5295735cb8d31d16e1a6bc2c19c28\r\nGymdrop Samples\r\nApp\r\nname\r\nPackage name SHA-256\r\nGym and\r\nFitness\r\nTrainer\r\ncom.gym.trainer.jeux 30ee6f4ea71958c2b8d3c98a73408979f8179159acccc01b6fd53ccb20579b6b\r\nDocument\r\nScanner\r\ncom.portus.docscan 3484a3e8743d65510de60b7bc91ee87da57573e22294fc36f731b3e1096adf15\r\nBugDrop Samples\r\nApp\r\nname\r\nPackage name SHA-256\r\nanother\r\nQRScan\r\nhdkjvi.looawt.fpfzys 214a576b46241bdf76bb4dbeacc7a456905eacd345fc515e0b38d6976c271168\r\nanother\r\nQRScan\r\nhdkjvi.looawt.fpfzys 367ae87d74c4d45aec595bdccee83a2d38b8ceb71956c902716141f163987c8a\r\nhttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nPage 9 of 10\n\nBrox Samples\r\nApp name Package name SHA-256\r\nMaster master.com 1284d9e44fa5ac5b645c26c5e941cc392d77ab24ebfa91948688ce769ff71667\r\nTest com.test.com 8d9facf6319339cfaf0de3e2da5727bd25a933b34b5f0b0029459d6d7e22689a\r\nSource: https://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nhttps://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html"
	],
	"report_names": [
		"bugdrop-new-dropper-bypassing-google-security-measures.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434863,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eedf9565eb35c96634000fe0307e04b4e982648b.pdf",
		"text": "https://archive.orkl.eu/eedf9565eb35c96634000fe0307e04b4e982648b.txt",
		"img": "https://archive.orkl.eu/eedf9565eb35c96634000fe0307e04b4e982648b.jpg"
	}
}