Cybersecurity researchers have uncovered a troubling shift in the Android malware world. Droppers — small, seemingly harmless apps that secretly fetch and install malicious  software — are no longer limited to delivering powerful banking trojans. They are now being repurposed to spread much simpler threats like SMS stealers and spyware, particularly across Asia.

For years, droppers acted as “delivery men” for complex malware that needed deep system access, such as banking trojans or remote access tools. However, according to a new report from Dutch security firm ThreatFabric, cybercriminals are adapting the same technique to spread far simpler malware inside stealthy apps, turning droppers into all-purpose tools for bypassing Google’s latest defences.

Why Droppers Are Becoming More Common

Researchers at ThreatFabric note that the change is linked to Google’s new Play Protect Pilot Program, which was recently rolled out in high-risk regions such as India, Brazil, Thailand, and Singapore.

The program scans apps before installation — particularly those downloaded from outside the Play Store — and blocks those requesting sensitive permissions like reading SMS, accessing notifications, or controlling accessibility features. If an app looks suspicious, it is blocked before it can even run.

The move has made it harder for malicious apps to get onto phones. But attackers have found a loophole. Instead of shipping malicious code directly, they hide it inside droppers that look harmless at first. These apps request minimal permissions, show a fake “update” prompt, and pass Google’s initial scans without issue. Only after users tap Update does the real malware get installed in the background, asking for the powerful permissions it needs.

“By encapsulating even basic payloads inside a dropper, they gain a protective shell that can evade today’s checks while staying flexible enough to swap payloads and pivot campaigns tomorrow,” ThreatFabric wrote in a blog post last week. 

RewardDropMiner And Other Threats

Researchers at ThreatFabric highlighted one case called RewardDropMiner. It was originally designed to deliver spyware while quietly mining cryptocurrency in the background. However, in its latest version, the mining features have been removed, leaving only the dropper functionality. This leaner approach makes the malware harder to detect, while still letting attackers secretly deliver spyware or other malicious apps.

Fake apps tied to RewardDropMiner have been found impersonating popular Indian services such as PM Yojana 2025, SBI Online, Axis Card, and even government-related utilities.

Other dropper families like SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, and TiramisuDropper are also active, using similar tricks to dodge Google’s security checks and spread banking malware or spyware through fake websites or even via messaging apps.

The Cat-and-Mouse Game Continues

While Google says none of these apps were distributed via the Play Store and that Play Protect continues to block known threats, experts warn that droppers are evolving into universal malware installers.

“Droppers have evolved from niche tools for high-end banking malware into universal installers for almost any type of malicious app that may be big or small that basically needs to get past regional defences,” ThreatFabric added.

What Users Can Do 

The shift underscores the ongoing arms race between security defenders and cybercriminals. For Google and the wider security community, it signals the need to keep evolving detection methods as attackers refine their tactics.

For everyday Android users, it is a reminder that vigilance is the first line of defence: install apps only from trusted sources, be cautious of apps demanding unusual permissions, stay alert for suspicious prompts, especially fake “updates,” and think twice before sideloading apps from third-party websites.