Cybersecurity experts have identified a new shift in the Android malware ecosystem, where dropper apps—traditionally used to deliver banking trojans—are increasingly being leveraged to spread simpler threats such as SMS stealers and basic spyware.

According to a recent report from ThreatFabric, these malicious campaigns often disguise droppers as legitimate government or banking apps, particularly targeting users in India and other parts of Asia.

A Response to Stronger Google Protections

The trend appears to be a reaction to Google’s recent security initiatives, including pilot programs in Singapore, Thailand, Brazil, and India that block the sideloading of suspicious apps requesting sensitive permissions such as SMS access and accessibility services. These measures have proven effective in preventing malicious apps from running before users can interact with them.

However, attackers are adapting quickly. By embedding even basic malware payloads inside droppers, cybercriminals create a “protective shell” that allows them to bypass detection while maintaining flexibility to update or replace payloads for future campaigns.

Some droppers avoid requesting high-risk permissions upfront, instead displaying a harmless “update” screen to pass initial scans. Only when the user taps “Update” does the malicious payload download from an external server, at which point it begins seeking the necessary permissions to execute its objectives.

While Google Play Protect may issue warnings during installation, the system still allows risky apps to proceed if the user chooses to accept the alerts—leaving a critical gap that attackers continue to exploit.

Emerging Threats: RewardDropMiner and Beyond

One notable example is RewardDropMiner, a dropper that has been observed distributing spyware alongside a Monero cryptocurrency miner, although recent versions have dropped the mining feature. Variants of this and similar droppers—such as SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper—are actively targeting users in Asia while avoiding Play Protect’s pilot program.

In response, Google has emphasized that none of these malicious apps have been distributed through the Play Store and that Google Play Protect already blocks known malware versions. A spokesperson reiterated the company’s commitment to continuously strengthening its defenses against emerging threats.

Malvertising Expands the Attack Surface

At the same time, Bitdefender Labs has reported a separate campaign abusing Facebook Ads to distribute a fake premium version of the TradingView Android app. The ultimate goal of this operation is to install an upgraded version of the Brokewell banking trojan, capable of monitoring, controlling, and stealing sensitive data from infected devices.

Since late July 2025, at least 75 malicious ads have been identified, reaching tens of thousands of users across the European Union. Researchers warn this Android wave is only part of a broader malvertising effort, which has also targeted Windows systems by disguising threats as financial or cryptocurrency apps.

Key Takeaway

These developments highlight the evolving tactics of cybercriminals, who are increasingly targeting mobile users with sophisticated social engineering and stealthy delivery methods. As attackers refine their techniques to keep pace with user behavior and platform defenses, organizations and individuals must remain vigilant, ensuring devices are updated and protected with layered security strategies.

Source: https://thehackernews.com/2025/09/android-droppers-now-deliver-sms.html