Malicious actors are now using dropper apps not just to install banking trojans, but also simpler forms of malware like SMS stealers and spyware, according to a new report by Dutch cybersecurity firm ThreatFabric.
The malicious apps are often disguised as official government or banking apps. Once installed, they trick users with fake update screens. When users click ‘Update,’ the real malware is downloaded from a remote server and begins requesting dangerous permissions.
ThreatFabric says this shift is partly a response to Google's new security pilot programs in countries like Singapore, Thailand, Brazil, and India. Such programs aim to block apps that request risky permissions like SMS access and accessibility services, which are two commonly abused features in Android malware.
“Unlike standard Play Protect scans, the Pilot Program scans right before an application is installed, especially when the app is side-loaded from a third-party source, and further blocks installation if the app has risky permissions,” ThreatFabric expained, adding that while Google Play Protect’s defenses are increasingly effective, criminals are quick to adapt.
To bypass Google’s protections, droppers are now designed to appear harmless. They don’t request risky permissions right away and instead fetch malicious payloads later, once users interact with them. While Play Protect may warn users, it still allows installations if users choose to proceed.
Among the dropper tools identified are RewardDropMiner, SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper. RewardDropMiner previously delivered a Monero cryptocurrency miner, though newer versions no longer include that function.