Malware Loaders Bypass Android 13+ Security by Abusing Accessibility Features

The Android malware ecosystem has seen a surge of innovation in 2024, with threat actors actively circumventing security measures introduced in recent Android versions.

One of the most concerning developments is the ability of advanced malware loaders to bypass the heightened accessibility restrictions implemented in Android 13 and newer versions.

These loaders abuse Android’s accessibility features to gain unauthorized control and data access, enabling functionality previously blocked by Google’s security updates.

Technical Analysis: Accessibility Bypass Techniques

Google’s Accessibility Lockdown and How Attackers Adapted In May 2022, Google introduced a key security enhancement in Android 13: sideloaded applications (APKs installed outside the Play Store) were blocked from accessing Accessibility Services by default.

This significantly reduced the effectiveness of common malware tactics, as Accessibility Services allow for powerful device control and keylogging. However, malware developers quickly adapted.

The Loader Architecture

Modern malware loaders, such as TiramisuDropper and the newer Brokewell loader, employ “session-based package installers.” This technique enables their payloads to sidestep the sideloading restrictions by:

1. Initiating installation through a legitimate session installer, rather than standard APK sideloading.
2. Manipulating the session context so that the system perceives the app as installed from a trusted source, temporarily granting the payload access to Accessibility Services.

Example Code Snippet: Session-Based Install

Here’s a high-level pseudo-code representation of the behavior:

javaPackageInstaller packageInstaller = context.getPackageManager().getPackageInstaller();
SessionParams params = new SessionParams(SessionParams.MODE_FULL_INSTALL);
int sessionId = packageInstaller.createSession(params);
PackageInstaller.Session session = packageInstaller.openSession(sessionId);
// Write APK bytes to session
session.write("base.apk", 0, apkBytes.length, apkInputStream);
session.fsync(apkWriteStream);
session.commit(PendingIntent.getBroadcast(context, sessionId, intent, 0).getIntentSender());

This approach leverages legitimate Android APIs to trick the OS into allowing accessibility permission requests—effectively nullifying Google’s security layer for sideloaded apps.

Hook, TiramisuDropper, and Custom Loaders

• TiramisuDropper became popular for its robust session installer implementation, often deployed alongside notorious banking trojans like Hook.
• Brokewell Loader, released in April 2024 on cybercrime forums, provided a modular framework specifically designed to integrate this bypass functionality, with source code made public to accelerate adoption.
• These loaders automate Accessibility Service abuse, enabling features like keylogging, screen overlays, hidden virtual network computing (HVNC) for remote control, and SMS interception.

These techniques allow malware to:

• Harvest credentials
• Manipulate app interfaces
• Conduct fraudulent transactions—all while remaining largely invisible to users.

Impact and Future Risks

Shift from Web-Injects to On-Device Fraud:

Historically, Android banking malware relied on web-injects to capture user credentials, which required frequent updates.

The move to accessibility abuse and remote control is less maintenance-intensive and more adaptable, particularly as attackers seek to bypass biometrics and multifactor authentication protections.

Proliferation via Leaked Source Code:

The public release of loader and trojan source code (e.g., Hook, ERMAC) has drastically lowered the barrier to entry for would-be cybercriminals.

Non-technical actors now repurpose advanced loaders, expanding both the scale and sophistication of Android malware campaigns.

Future Defenses:

The current malware landscape demands that defenders:

• Build behavioral detection rules focused on suspicious accessibility usage.
• Employ threat intelligence platforms capable of real-time monitoring of malware family evolution.
• Stay vigilant for new loader modules in the wild, particularly those leveraging session-based installs.

Android malware operators have once again demonstrated technical innovation in the face of heightened platform security.

By exploiting legitimate system features especially accessibility services through advanced loaders, they have rendered Google’s anti-sideloading controls less effective.

As this trend accelerates, only proactive and technically robust defense strategies will keep pace with the evolving threat landscape.