Cybersecurity researchers have turned their attention to a new shift in Dropper apps, which are typically used to deliver bank Trojans, to distribute simpler malware, such as SMS steelers and basic spyware.
These campaigns are being propagated through Dropper apps disguised as government or banking apps in India and other parts of Asia, Threatfabric said in a report last week.
The Dutch mobile security company said the change is driven by recent security protections in which Google requires abused settings such as SMS messages and accessibility services in order to block sideloading of suspicious apps that may require dangerous permissions such as SMS messages and accessibility services.
“Google Play Protect’s defense, particularly targeted pilot programs, is becoming increasingly effective at stopping high-risk apps before they run,” the company said. “Secondly, the actor wants to maintain his business in the future.”
“By encapsulating even the basic payload within the dropper, you get a protective shell that can avoid today’s checks while still remaining flexible enough to trade payloads and pivot campaigns tomorrow.”
ThreatFabric said Google’s strategy is raising the ante by blocking malicious apps from being installed even before users interact, but attackers are trying new ways to show games of endless games when it comes to security.
This includes providing only harmless “update” screens that can fly past scans in your area, with Google’s pilot program in mind and dropper design in mind, without asking for risky permissions.
However, when a user clicks the “Update” button, the actual payload is fetched or released from the external server, asking for the permissions needed to achieve the goal.
“Play Protect may display risk alerts as part of different scans, but as long as the user accepts them, the app will be installed and the payload will be delivered,” ThreatFabric said. “This shows an important gap. PlayProtect allows high-risk apps even if the malware slips the pilot program when the user clicks on install anyway.”
One such dropper is the redupminer, which is known to be provided along with the payload of spyware. However, recent variations of the tool no longer include minor features.
Some of the malicious apps delivered via RegidDropMiner are all listed below for all apps targeting Indian users –
PM Yojana 2025 (com.fluvdp.hrzmkgi)°rto challan (com.epr.fnroyex)sbi online (com.qmwownic.eqmff)Axis card (com.tolqppj.yqmrlytfzrxa)
Other dropper variants that avoid triggering Play Protect or Pilot programs include Securidropper, Zombinder, Brokewelldropper, Hiddencatdropper, and Tiramisudropper.
When reaching for the comment, Google told Hacker News it hadn’t found an app using these techniques distributed via the Play Store and was constantly adding new protection.
“No matter where the app comes from – even if it’s installed by the ‘Dropper’ app, Google Play Protect can help keep users safe by automatically checking for threats,” the spokesman said.
“Protection against these identified malware versions was already introduced through Google Play Protect prior to this report. Based on current detections, no apps containing these versions of this malware were found on Google Play. We are constantly increasing the protection that helps keep users safe from bad actors.”
The development is because Bitdefender Labs is warning about a new campaign that will use malicious ads on Facebook to make a free premium version of the TradingView app for Android, and ultimately formulate an improved version of Brokewell Banking Trojan to monitor, control and steal from victim devices.
Since July 22, 2025, more than 75 malicious ads have been running, reaching tens of thousands of users in the European Union alone. The wave of Android attacks is just part of a massive Malvertising operation that abuses Facebook ads and targets Windows desktops under the guise of various financial and cryptocurrency apps.
“This campaign shows that cybercriminals are tweaking tactics to keep up with user behavior,” says the Romanian cybersecurity company. “By targeting mobile users and disguising malware as a trustworthy trading tool, attackers want to gain a growing reliance on crypto apps and financial platforms.”
Source link
