Android Malware Loaders Defeat Google’s New Defenses

Cybercriminals are successfully bypassing Android 13’s security improvements by leveraging malware loaders to exploit accessibility services, according to new threat intelligence from Intel471. Google introduced the restrictions to block sideloaded apps from gaining accessibility access—often abused by banking trojans—but attackers have adapted using session-based package installers to evade these controls.

One such loader, TiramisuDropper, has emerged as a favored tool among threat actors distributing malware families like Hook, TgToxic, and TrickMo. From April to December 2024, Hook accounted for nearly 30% of infections tied to this dropper. Other strains using the loader include Coper, Medusa, and Spynote.

The release of the Brokewell loader’s source code in April on a cybercrime forum has further fueled the proliferation of these bypass techniques. Analysts warn this trend could disrupt existing dropper-as-a-service operations and intensify large-scale fraud campaigns targeting financial platforms, as traditional detection tools struggle against increasingly stealthy installation methods.