Google released Android 13 in August, and hackers already have their sights set on circumventing the company’s latest security measures. A team of researchers has found a work-in-progress malware that is using a new technique to evade Google’s new restrictions on which apps can access accessibility services. The misuse of accessibility services makes it easier for malware to snoop passwords and private data, and is hence one of the most used gateways for bad actors on Android.

To understand what’s happening, we need to look at Android 13’s new security measures before we dive in. Android 13 no longer allows sideloaded apps to request access to accessibility services unless you go out of your way to grant said app permission using a convoluted workaround. This is meant as a protection against malware that someone inexperienced may have inadvertently downloaded from outside the Play Store, like some shady QR code scanner. An app like that would then usually ask users to permit it to use accessibility services, but that option is not readily available for apps from outside app stores anymore.

Given that accessibility services are a legitimate option for apps that do want to make phones more accessible for those who are in need, Google doesn’t want to outright ban access to accessibility services for all apps, though. Applications downloaded from the Play Store are exempt from this block, and the same is true for any app downloaded via another third-party app store other than the Play Store (think F-Droid or Amazon App Store). This is done by exempting apps installed via the session-based package installation API from the accessibility services lock. Google’s reasoning here is that app stores usually vet applications they offer, so that there is already a line of defense in place. This exemption is exactly what hackers are taking advantage of in the latest exploit, though.

As covered by ThreatFabric, malware developers part of the Hadoken group are working on a new exploit that builds on top of older malware that uses accessibility services to gain insight into personal data. Since granting accessibility to sideloaded apps is more difficult on Android 13, the new malware comes in two parts. The first app the user installs is the “dropper” that acts like an app store, using the same session-based package installation API to install the actual piece of malware without the restrictions on activating accessibility services.

While malware could still ask users to enable accessibility services for sideloaded apps, the workaround to enable them is significant. It is easier to fool users into activating accessibility services with a single tap, which is what this new two-fold attack achieves.

ThreatFabric notes that the malware is still in early development stages and that it is still incredibly buggy and finicky at this point. That’s why the company decided to call the newly found malware “BugDrop,” as it’s not up to par with the rest of the hacker group’s code just yet. Previously, the Hadoken group hatched another dropper project called Gymdrop, which also serves to distribute other malware. The group additionally created some banking malware called Xenomorph. For all of these, accessibility services are the weak link, so whatever you do, don’t grant an app permission to use accessibility services if it isn't an accessibility app (with Tasker being one notably exception).