Shifting Tides in Android Malware
Recent insights from cybersecurity researchers reveal a notable evolution in the Android malware ecosystem. Dropper apps, traditionally employed to deliver sophisticated banking trojans, are now being repurposed to disseminate simpler forms of malware, including SMS stealers and basic spyware. This shift is particularly evident in regions such as India and other parts of Asia, where these malicious applications often masquerade as legitimate government or banking services, according to a report by ThreatFabric.
The Dutch mobile security firm attributes this change to enhanced security measures that Google has implemented in select markets, including Singapore, Thailand, Brazil, and India. These measures aim to prevent the sideloading of potentially harmful applications that request sensitive permissions, such as access to SMS messages and accessibility services—settings frequently exploited for malicious activities on Android devices.
“Google Play Protect’s defenses, especially the targeted Pilot Program, are increasingly effective at intercepting risky apps before they can execute,” ThreatFabric noted. “Moreover, cybercriminals are adapting their strategies to ensure their operations remain resilient against these advancements.”
By encapsulating even the most basic payloads within a dropper, attackers create a protective layer that can evade current security checks while maintaining the flexibility to modify their tactics in the future. This cat-and-mouse dynamic underscores the ongoing challenges in cybersecurity.
ThreatFabric elaborated on how attackers are designing droppers with a keen awareness of Google’s Pilot Program, ensuring that these apps do not request high-risk permissions. Instead, they present users with an innocuous “update” screen that can bypass security scans. It is only upon user interaction—clicking the “Update” button—that the actual malicious payload is fetched from an external server, subsequently seeking the necessary permissions to execute its objectives.
“While Play Protect may issue alerts regarding potential risks during different scans, the installation of the app can still proceed if the user chooses to accept these warnings,” ThreatFabric explained. “This highlights a significant vulnerability: Play Protect permits the installation of risky applications if the user opts to proceed, allowing malware to circumvent the Pilot Program.”
One notable dropper identified is RewardDropMiner, which has been linked to spyware payloads and a Monero cryptocurrency miner that can be activated remotely. However, recent iterations of this tool have omitted the miner functionality.
Among the malicious applications delivered through RewardDropMiner, specifically targeting users in India, are:
- PM YOJANA 2025 (com.fluvdp.hrzmkgi)
- RTO Challan (com.epr.fnroyex)
- SBI Online (com.qmwownic.eqmff)
- Axis Card (com.tolqppj.yqmrlytfzrxa)
Other dropper variants that have managed to evade detection by Play Protect or the Pilot Program include SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper.
In response to these developments, Google stated that it has not identified any applications utilizing these techniques distributed through the Play Store and emphasized its ongoing efforts to enhance security measures. A spokesperson remarked, “Regardless of the source of an app—even if it is installed via a ‘dropper’—Google Play Protect works to safeguard users by automatically scanning for threats.”
“Protection against these identified malware variants was already established through Google Play Protect prior to this report. Based on our current detection capabilities, no apps containing these malware versions have been found on Google Play. We are continuously improving our defenses to protect users from malicious actors.”
Emerging Threats in Malvertising
In a related development, Bitdefender Labs has issued a warning about a new campaign leveraging malicious advertisements on Facebook. This initiative promotes a free premium version of the TradingView app for Android, ultimately deploying an enhanced version of the Brokewell banking trojan designed to monitor, control, and extract sensitive information from users’ devices.
Since July 22, 2025, no fewer than 75 malicious ads have been circulated, reaching tens of thousands of users across the European Union. This Android attack wave is merely one facet of a broader malvertising operation that has exploited Facebook Ads to target Windows desktops under the guise of various financial and cryptocurrency applications.
“This campaign illustrates how cybercriminals are refining their tactics to align with user behavior,” noted the Romanian cybersecurity firm. “By targeting mobile users and disguising malware as trusted trading tools, attackers aim to capitalize on the increasing reliance on cryptocurrency applications and financial platforms.”
