Cybersecurity experts are warning of a new wave of Android malware campaigns where dropper apps—previously used mainly to deliver banking trojans—are now being deployed to distribute simpler but still dangerous malware, including SMS stealers and basic spyware. According to a recent report by Dutch security firm ThreatFabric, these campaigns are increasingly targeting users in India and other parts of Asia by posing as government or banking apps.
The shift appears to be a direct response to Google’s new security measures, which have been piloted in markets like Singapore, Thailand, Brazil, and India. These measures block the sideloading of suspicious apps requesting risky permissions such as SMS access and accessibility services, often exploited for malicious actions. “Google Play Protect’s defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run,” ThreatFabric said. “Second, actors want to future-proof their operations.”
By using droppers as a delivery mechanism, cybercriminals can bypass Google’s protections by serving a harmless “update” screen that passes security checks. Only when the user clicks “Update” does the real malicious payload download from an external server, at which point it requests permissions to execute its objectives. “Play Protect may display alerts about the risks, as a part of a different scan, but as long as the user accepts them, the app is installed, and the payload is delivered,” the firm added, calling it a “critical gap” in Google’s defenses.
One such dropper, RewardDropMiner, has been observed delivering spyware along with a Monero cryptocurrency miner, though newer variants have dropped the mining feature. Malicious apps linked to this campaign include fake versions of PM YOJANA 2025, RTO Challan, SBI Online, and Axis Card. Other droppers like SecuriDropper, Zombinder, and BrokewellDropper are also actively used to bypass Play Protect.
In a parallel finding, Bitdefender Labs uncovered a Facebook malvertising campaign using fake ads for a free premium version of the TradingView app to deliver a more advanced variant of the Brokewell banking trojan. “This campaign shows how cybercriminals are fine-tuning their tactics to keep up with user behavior,” Bitdefender said, noting that more than 75 ads have run since July 22, 2025, targeting thousands of EU users.
Google has said no such apps have been found on the Play Store and that Play Protect is continuously updated to block threats.
