The Android malware ecosystem underwent significant transformation in 2024, with threat actors and malware developers swiftly adapting to countermeasures introduced by Google in Android 13 and later versions.
Notably, the security enhancements aimed at limiting abuse of Android’s accessibility services have been systematically circumvented by sophisticated malware loaders.
This has enabled a new generation of banking trojans, keyloggers, and remote access tools to persistently target users, presenting an ongoing challenge for security professionals and financial institutions.
Malware Loaders Adapt to Enhanced Android Security
A major technical pivot in the Android threat landscape centered on Google’s May 2022 move to restrict accessibility service access for sideloaded applications an attack vector historically exploited for credential theft, transaction fraud, and device takeover.
In response, malware operators developed loaders such as TiramisuDropper, leveraging session-based package installer APIs to successfully bypass these protections.
The loader architecture enables malicious apps to receive elevated privileges without direct user consent, reinstating the threat that Google sought to mitigate.
The proliferation of such loaders has not remained isolated. In April 2024, a notorious actor known as Samedit_Marais (aka BaronSamedit) publicly released the Brokewell Android loader on underground forums, advertising its capability to circumvent Android 13+ accessibility restrictions.
By disseminating the source code freely, the loader has quickly been incorporated into other malware variants, notably those within the “dropper-as-a-service” model, which include TiramisuDropper and numerous banking trojans such as Hook, TgToxic, and TrickMo.
The accessibility bypass achieved by these technologies means that threat actors now require significantly less overhead to conduct on-device fraud, utilizing real-time screen overlays and remote control provided by HVNC (Hidden Virtual Network Computing) modules.
Meanwhile, another concerning development is the broader availability and reuse of advanced malware source code.
Following several high-profile leaks, including the publication of Hook and ERMAC banking trojan source code on GitHub and in underground channels, even nontechnical criminals have entered the market.
According to Intel471, these ready-made malware kits are often repackaged and sold as “unique” strains, driving increased fraud and an uptick in ineffective or recycled malware scams within cybercrime ecosystems.
Notably, by mid-2024, at least sixteen control panels derived from Hook’s leaked panel resources were identified, underscoring the exponential rise in derivative, customized threats.
Leaked Code and NFC Exploits
Threat actors have also expanded their scope through the abuse of near-field communication (NFC) relay technology.
The emergence of campaigns deploying malware such as NGate, which co-opts the legitimate NFCGate open-source toolkit, has enabled attackers to remotely clone payment cards, execute unauthorized retail purchases, and withdraw funds from ATMs using compromised NFC data.
By facilitating the relay of contactless card information in real time to mule devices or attacker-controlled phones, these operations reveal a new vector for scalable, high-value fraud, further complicating mobile security defenses.
Industry analysis suggests that while traditional web-inject attacks have plateaued, the focus has shifted to stealthier keylogging and remote control modalities.
Loader technologies that defeat Android’s evolving security model are now an essential feature, especially as automated transfer systems (ATSs) for banking apps remain resource-intensive for most cybercriminals.
Reputable sellers, rather than technical innovation alone, differentiate themselves in a saturated underground market, often prioritizing customer support, update cadence, and competitive pricing.
Looking ahead, defenders are advised to maintain robust threat monitoring, continuously update detection rules, and share intelligence collaboratively.
As loaders capable of bypassing Android 13+ accessibility restrictions proliferate, the gap widens between baseline operating system security and the advanced tactics now favored by adversaries.
The ongoing integration of NFC relay and remote access modules into mainstream malware further signals a persistent, rapidly evolving threat to mobile financial security.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
