Sep 01, 2025Ravie LakshmananMobile Safety / Malvertising
Cybersecurity researchers are calling consideration to a brand new shift within the Android malware panorama the place dropper apps, that are sometimes used to ship banking trojans, to additionally distribute less complicated malware akin to SMS stealers and fundamental spyware and adware.
These campaigns are propagated through dropper apps masquerading as authorities or banking apps in India and different elements of Asia, ThreatFabric stated in a report final week.
The Dutch cell safety agency stated the change is pushed by latest safety protections that Google has piloted in choose markets like Singapore, Thailand, Brazil, and India to dam sideloading of probably suspicious apps requesting harmful permissions like SMS messages and accessibility providers, a closely abused setting to hold out malicious actions on Android gadgets.
“Google Play Defend’s defences, significantly the focused Pilot Program, are more and more efficient at stopping dangerous apps earlier than they run,” the corporate stated. “Second, actors wish to future-proof their operations.”
“By encapsulating even fundamental payloads inside a dropper, they achieve a protecting shell that may evade in the present day’s checks whereas staying versatile sufficient to swap payloads and pivot campaigns tomorrow.”
ThreatFabric stated that whereas Google’s technique ups the ante by blocking a malicious app from being put in even earlier than a person can work together with it, attackers are attempting out new methods to get across the safeguards — a sign of the limitless sport of whack-a-mole relating to safety.
This contains designing droppers, preserving in thoughts Google’s Pilot Program, in order that they do not search high-risk permissions and serve solely a innocent “replace” display that may fly previous scanning within the areas.
But it surely’s solely when the person clicks the “Replace” button that the precise payload will get fetched from an exterior server or unpacked, which then proceeds to hunt the mandatory permissions to fulfil its aims.
“Play Defend could show alerts concerning the dangers, as part of a distinct scan, however so long as the person accepts them, the app is put in, and the payload is delivered,” ThreatFabric stated. “This illustrates a important hole: Play Defend nonetheless permits dangerous apps by means of if the person clicks Set up anyway, and the malware nonetheless slips by means of the Pilot Program.”
One such dropper is RewardDropMiner, which has been discovered to serve together with spyware and adware payloads a Monero cryptocurrency miner that may be activated remotely. Current variants of the device, nonetheless, now not embrace the miner performance.
A few of the malicious apps delivered through RewardDropMiner, all focusing on customers in India, are listed under –
PM YOJANA 2025 (com.fluvdp.hrzmkgi)
°RTO Challan (com.epr.fnroyex)
SBI On-line (com.qmwownic.eqmff)
Axis Card (com.tolqppj.yqmrlytfzrxa)
Different dropper variants that keep away from triggering Play Defend or the Pilot Program embrace SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper.
When reached for remark, Google instructed The Hacker Information it has not discovered any apps utilizing these strategies distributed through the Play Retailer and that it is continuously including new protections.
“No matter the place an app comes from – even when it is put in by a ‘dropper’ app – Google Play Defend helps to maintain customers protected by robotically checking it for threats,” a spokesperson stated.
“Safety in opposition to these recognized malware variations was already in place by means of Google Play Defend previous to this report. Primarily based on our present detection, no apps containing these variations of this malware have been discovered on Google Play. We’re continuously enhancing our protections to assist maintain customers protected from dangerous actors.”
The event comes as Bitdefender Labs has warned of a brand new marketing campaign that is utilizing malicious adverts on Fb to hawk a free premium model of the TradingView app for Android to in the end deploy an improved model of the Brokewell banking trojan to watch, management, and steal delicate info from the sufferer’s machine.
A minimum of 75 malicious adverts have been run since July 22, 2025, reaching tens of hundreds of customers within the European Union alone. The Android assault wave is only one half of a bigger malvertising operation that has abused Fb Adverts to additionally goal Home windows desktops underneath the guise of varied monetary and cryptocurrency apps.
“This marketing campaign reveals how cybercriminals are fine-tuning their techniques to maintain up with person habits,” the Romanian cybersecurity firm stated. “By focusing on cell customers and disguising malware as trusted buying and selling instruments, attackers hope to money in on the rising reliance on crypto apps and monetary platforms.”
