Recent analyses by cybersecurity experts have unveiled a significant evolution in Android malware tactics. Traditionally, dropper applications have been utilized to deliver banking trojans. However, current trends indicate that these droppers are now being employed to disseminate a broader spectrum of malicious software, including SMS stealers and basic spyware.
These deceptive campaigns often involve dropper apps that masquerade as legitimate government or banking applications, particularly targeting users in India and various regions across Asia. According to a recent report by ThreatFabric, a Dutch mobile security firm, this shift is largely a response to enhanced security measures implemented by Google. These measures aim to prevent the sideloading of potentially harmful apps that request sensitive permissions, such as access to SMS messages and accessibility services—features frequently exploited to execute malicious activities on Android devices.
ThreatFabric’s report highlights that Google’s proactive strategies, especially the targeted Pilot Program, have become increasingly effective in intercepting and halting risky applications before they can be executed. Consequently, cybercriminals are adapting their methods to circumvent these defenses. By encapsulating even basic malicious payloads within dropper applications, they create a protective shell that can evade current security checks. This approach not only allows them to bypass existing protections but also provides the flexibility to swap payloads and pivot their campaigns as needed.
Despite Google’s efforts to block the installation of malicious apps before user interaction, attackers are continually devising new strategies to bypass these safeguards. This ongoing battle underscores the dynamic and persistent nature of cybersecurity threats.
One notable tactic involves designing droppers that align with Google’s Pilot Program guidelines. These droppers avoid requesting high-risk permissions and present only a benign update screen, enabling them to pass through initial security scans unnoticed. However, once the user clicks the Update button, the actual malicious payload is retrieved from an external server or unpacked. This payload then seeks the necessary permissions to carry out its malicious objectives.
ThreatFabric points out a critical vulnerability in this process: while Google Play Protect may display alerts about potential risks during subsequent scans, if the user proceeds with the installation, the app is installed, and the malicious payload is delivered. This scenario illustrates a significant gap in the current security framework, as Play Protect still permits the installation of risky apps if the user consents, allowing malware to slip through the Pilot Program’s defenses.
An example of such a dropper is RewardDropMiner, which has been identified delivering spyware payloads alongside a Monero cryptocurrency miner that can be activated remotely. Recent versions of this tool, however, have omitted the mining functionality.
Several malicious applications distributed via RewardDropMiner have specifically targeted users in India. These include:
– PM YOJANA 2025 (com.fluvdp.hrzmkgi)
– RTO Challan (com.epr.fnroyex)
– SBI Online (com.qmwownic.eqmff)
– Axis Card (com.tolqppj.yqmrlytfzrxa)
Other variants of droppers that have been designed to evade detection by Play Protect and the Pilot Program include SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper.
In response to these developments, Google has stated that it has not identified any apps employing these techniques within the Play Store and is continually enhancing its protective measures. A Google spokesperson emphasized that, regardless of an app’s origin—even if installed via a dropper app—Google Play Protect automatically scans for threats to safeguard users. Protection against these identified malware versions was already in place through Google Play Protect prior to this report. Based on current detection, no apps containing these versions of malware have been found on Google Play. The company is consistently improving its defenses to protect users from malicious actors.
This development coincides with findings from Bitdefender Labs, which have uncovered a new campaign utilizing malicious advertisements on Facebook. These ads promote a free premium version of the TradingView app for Android, ultimately deploying an enhanced version of the Brokewell banking trojan. This malware is designed to monitor, control, and steal sensitive information from the victim’s device.
Since July 22, 2025, at least 75 malicious ads have been active, reaching tens of thousands of users within the European Union alone. This Android-focused attack is part of a broader malvertising operation that has exploited Facebook Ads to target Windows desktops under the guise of various financial and cryptocurrency applications.
Bitdefender’s analysis indicates that cybercriminals are refining their tactics to align with user behavior. By targeting mobile users and disguising malware as trusted trading tools, attackers aim to exploit the increasing reliance on cryptocurrency applications and financial platforms.
