Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware.
These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report last week.
The Dutch mobile security firm said the change is driven by recent security protections that Google has piloted in select markets like Singapore, Thailand, Brazil, and India to block sideloading of potentially suspicious apps requesting dangerous permissions like SMS messages and accessibility services, a heavily abused setting to carry out malicious actions on Android devices.
“Google Play Protect’s defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run,” the company said. “Second, actors want to future-proof their operations.”
“By encapsulating even basic payloads inside a dropper, they gain a protective shell that can evade today’s checks while staying flexible enough to swap payloads and pivot campaigns tomorrow.”
ThreatFabric said that while Google’s strategy ups the ante by blocking a malicious app from being installed even before a user can interact with it, attackers are trying out new ways to get around the safeguards — an indication of the endless game of whack-a-mole when it comes to security.
This includes designing droppers, keeping in mind Google’s Pilot Program, so that they don’t seek high-risk permissions and serve only a harmless “update” screen that can fly past scanning in the regions.
But it’s only when the user clicks the “Update” button that the actual payload gets fetched from an external server or unpacked, which then proceeds to seek the necessary permissions to fulfil its objectives.
“Play Protect may display alerts about the risks, as a part of a different scan, but as long as the user accepts them, the app is installed, and the payload is delivered,” ThreatFabric said. “This illustrates a critical gap: Play Protect still allows risky apps through if the user clicks Install anyway, and the malware still slips through the Pilot Program.”
One such dropper is RewardDropMiner, which has been found to serve along with spyware payloads a Monero cryptocurrency miner that can be activated remotely. Recent variants of the tool, however, no longer include the miner functionality.
Some of the malicious apps delivered via RewardDropMiner, all targeting users in India, are listed below –
- PM YOJANA 2025 (com.fluvdp.hrzmkgi)
- °RTO Challan (com.epr.fnroyex)
- SBI Online (com.qmwownic.eqmff)
- Axis Card (com.tolqppj.yqmrlytfzrxa)
Other dropper variants that avoid triggering Play Protect or the Pilot Program include SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper.
When reached for comment, Google told The Hacker News it has not found any apps using these techniques distributed via the Play Store and that it’s constantly adding new protections.
“Regardless of where an app comes from – even if it’s installed by a ‘dropper’ app – Google Play Protect helps to keep users safe by automatically checking it for threats,” a spokesperson said.
“Protection against these identified malware versions was already in place through Google Play Protect prior to this report. Based on our current detection, no apps containing these versions of this malware have been found on Google Play. We’re constantly enhancing our protections to help keep users safe from bad actors.”
The development comes as Bitdefender Labs has warned of a new campaign that’s using malicious ads on Facebook to peddle a free premium version of the TradingView app for Android to ultimately deploy an improved version of the Brokewell banking trojan to monitor, control, and steal sensitive information from the victim’s device.
No less than 75 malicious ads have been run since July 22, 2025, reaching tens of thousands of users in the European Union alone. The Android attack wave is just one part of a larger malvertising operation that has abused Facebook Ads to also target Windows desktops under the guise of various financial and cryptocurrency apps.
“This campaign shows how cybercriminals are fine-tuning their tactics to keep up with user behavior,” the Romanian cybersecurity company said. “By targeting mobile users and disguising malware as trusted trading tools, attackers hope to cash in on the growing reliance on crypto apps and financial platforms.”
