Android Droppers distributing banking trojans, SMS stealers and spyware

Cybersecurity researchers are highlighting a significant shift in the Android malware landscape, where dropper apps, traditionally used to deliver banking trojans, are now also distributing simpler forms of malware such as SMS stealers and basic spyware. These campaigns are being propagated through dropper apps that masquerade as government or banking applications in India and other regions of Asia, according to a recent report by ThreatFabric. The Dutch mobile security firm attributes this change to new security measures that Google has implemented in select markets, including Singapore, Thailand, Brazil, and India, aimed at blocking the sideloading of potentially harmful apps that request dangerous permissions like SMS messages and accessibility services. Google Play Protect’s defences, particularly the targeted Pilot Program, are becoming increasingly effective at preventing risky apps from running.

ThreatFabric notes that while Google’s strategy enhances security by blocking malicious apps before user interaction, attackers are continuously adapting to circumvent these safeguards. This ongoing cat-and-mouse game is evident in the design of droppers that avoid high-risk permissions and present only a benign “update” screen, which can bypass scanning in affected regions. It is only when users click the “Update” button that the actual payload is fetched from an external server or unpacked, subsequently seeking the necessary permissions to execute its objectives. Although Play Protect may issue alerts regarding potential risks during a separate scan, the critical gap remains that risky apps can still be installed if users choose to proceed, allowing malware to slip through the Pilot Program. One notable dropper, RewardDropMiner, has been found to deliver spyware payloads alongside a Monero cryptocurrency miner, although recent variants have omitted the miner functionality. Malicious apps delivered via RewardDropMiner, all targeting users in India, include PM Yojana 2025 (com.fluvdp.hrzmkgi), RTO Challan (com.epr.fnroyex), SBI Online (com.qmwownic.eqmff), and Axis Card (com.tolqppj.yqmrlytfzrxa). Other dropper variants that successfully evade triggering Play Protect or the Pilot Program include SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper. When contacted for comment, Google stated that it has not identified any apps using these techniques.