- Cybercriminals are using Android dropper apps to deliver both advanced and basic types of Malware, including SMS stealers and spyware.
- Attackers disguise these droppers as official government or banking apps, mainly targeting users in India and Asia.
- Google’s new security measures block many suspicious sideloaded apps, but attackers modify droppers to bypass these safeguards.
- One dropper, RewardDropMiner, has deployed several malicious apps in India and previously included cryptocurrency mining features.
- A related campaign uses Facebook ads to spread a fake TradingView app, infecting European users with the Brokewell banking trojan.
Cybersecurity researchers have identified a shift in Android malware delivery, where dropper apps now distribute both sophisticated banking trojans and simpler threats like SMS stealers and basic spyware. These droppers are being presented as official government and banking apps, with the primary targets in India and other parts of Asia.
Dutch security firm ThreatFabric reported that recent updates to Google Play Protect—especially a Pilot Program in Singapore, Thailand, Brazil, and India—are blocking suspicious sideloaded apps requesting sensitive permissions. Despite these advances, attackers have adapted their droppers to avoid high-risk permissions and display innocuous screens until users interact further and receive the harmful payload.
According to ThreatFabric, “By encapsulating even basic payloads inside a dropper, they gain a protective shell that can evade today’s checks while staying flexible enough to swap payloads and pivot campaigns tomorrow.” If users accept warnings and proceed to install the app, the dropper can bypass protections and deliver the malware. The dropper then requests the permissions it needs to operate.
Examples of malicious apps spread through the RewardDropMiner dropper in India include PM YOJANA 2025, RTO Challan, SBI Online, and Axis Card. Newer versions of RewardDropMiner have removed their previous cryptocurrency mining abilities. Other droppers detected in similar campaigns are SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper.
A Google spokesperson told The Hacker News that, while these threats have not been found in the Play Store, “Google Play Protect helps to keep users safe by automatically checking it for threats … no apps containing these versions of this malware have been found on Google Play. We’re constantly enhancing our protections to help keep users safe from bad actors.”
Bitdefender Labs also warned about a campaign leveraging malicious Facebook ads to promote a counterfeit TradingView app, which delivered the Brokewell banking trojan to Android devices in the European Union. This operation has delivered at least 75 ads since late July 2025, also using fake financial and cryptocurrency apps to target Windows users.
Researchers say attackers are adjusting their methods to continue bypassing protections, showing the ongoing challenge in securing mobile platforms.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Chinese Yuan Lags Far Behind Dollar as Global Reserve Currency
- Trump Plan Offers Gaza Tokens for Land, Proposes “Smart Cities”
- Trump Family Nets $6B Boost as WLFI Crypto Token Goes Live
- DeFi Protocols Adopt Safe Harbor to Protect White Hat Hackers
- Bitcoin Retreats From Record $124K Amid Fed Crisis, Turmoil Persists
