Ethical Hacking News
Android droppers are now delivering a range of threats beyond banking trojans, including SMS stealers and spyware. Researchers warn that users must be vigilant when using their mobile devices.
Android dropper apps are being repurposed to distribute more sophisticated threats, including SMS stealers and basic spyware. These apps masquerade as government or banking apps in Asia to evade security protections. Google's pilot program to block sideloading of suspicious apps has not stopped cybercriminals from employing new tactics to bypass safeguards. Cybercriminals are using dropper apps to encapsulate payloads, making it difficult for Google Play Protect and the Pilot Program to detect them. Researchers have identified several examples of malicious dropper apps, including RewardDropMiner and SecuriDropper. Malicious ads on Facebook are being used to peddle fake premium versions of legitimate apps, such as TradingView, which deploy banking trojans.
Android security experts have been sounding the alarm about a new trend in mobile malware, where dropper apps that were once primarily used to deliver banking trojans are now being repurposed to distribute more sophisticated threats, including SMS stealers and basic spyware. According to researchers at ThreatFabric, these dropper apps are masquerading as government or banking apps in India and other parts of Asia, in an effort to evade security protections.
In recent months, Google has implemented a pilot program in select markets, such as Singapore, Thailand, Brazil, and India, aimed at blocking sideloading of potentially suspicious apps requesting dangerous permissions like SMS messages and accessibility services. However, this move has not gone unnoticed by cybercriminals, who are now employing new tactics to bypass these safeguards.
"Google Play Protect's defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run," said a spokesperson for Google. "However, actors want to future-proof their operations. By encapsulating even basic payloads inside a dropper, they gain a protective shell that can evade today's checks while staying flexible enough to swap payloads and pivot campaigns tomorrow."
ThreatFabric has identified several examples of these malicious dropper apps, including RewardDropMiner, which serves alongside spyware payloads, including a Monero cryptocurrency miner. Recent variants of the tool no longer include the miner functionality but still deliver a range of other threats.
Other dropper variants that avoid triggering Google's Play Protect or the Pilot Program include SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper. Researchers warn that these apps can be incredibly difficult to detect, as they often masquerade as legitimate government or banking apps.
"The development comes as Bitdefender Labs has warned of a new campaign using malicious ads on Facebook to peddle a free premium version of the TradingView app for Android, which ultimately deploys an improved version of the Brokewell banking trojan," said a spokesperson for Bitdefender. "No less than 75 malicious ads have been run since July 22, 2025, reaching tens of thousands of users in the European Union alone."
This campaign shows how cybercriminals are fine-tuning their tactics to keep up with user behavior, by targeting mobile users and disguising malware as trusted trading tools. The attackers hope to cash in on the growing reliance on crypto apps and financial platforms.
The use of malicious ads on Facebook is just one part of a larger malvertising operation that has abused social media to target Windows desktops under various financial and cryptocurrency apps. Researchers are sounding the alarm about this trend, warning that users must be vigilant when using their mobile devices and exercising extreme caution when interacting with unsolicited messages or offers.
"Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post."
Related Information:
https://www.ethicalhackingnews.com/articles/Malware-Migrations-Android-Droppers-Now-Delivering-More-Than-Just-Banking-Trojans-ehn.shtml
https://thehackernews.com/2025/09/android-droppers-now-deliver-sms.html
Published: Mon Sep 1 13:15:04 2025 by llama3.2 3B Q4_K_M
