Beyond Banks: Android Malware Is Getting Smarter to Bypass Google Play Protect

Droppers—seemingly harmless apps that secretly deliver malware—have long been a key part of Android cybercrime. But according to a new ThreatFabric report, these tools are no longer limited to banking trojans. They’re being re-engineered to bypass Google’s Play Protect and its Pilot Program, making them stealthier, more flexible, and more dangerous than ever.

ThreatFabric explains: “Droppers have long been a cornerstone of Android malware campaigns. They’re small, seemingly harmless apps whose real job is to fetch and install a malicious payload.”

Traditionally, droppers were associated with banking trojans and RATs (Remote Access Trojans). However, ThreatFabric has now observed them being used for SMS stealers and basic spyware, often disguised as government or banking apps in India and Asia.

Why use a dropper for relatively simple malware? The answer, ThreatFabric notes, lies in defense evasion and future-proofing: “By encapsulating even basic payloads inside a dropper, they gain a protective shell that can evade today’s checks while staying flexible enough to swap payloads and pivot campaigns tomorrow.”

To combat rising mobile fraud, Google introduced its Pilot Program, an enhanced scanning initiative focused on high-risk regions such as India, Brazil, Thailand, and Singapore. Unlike regular Play Protect scans, the program:

• Scans right before installation, especially for sideloaded apps.
• Blocks apps with risky permissions like RECEIVE_SMS, READ_SMS, BIND_Notifications, and Accessibility.
• Inspects API calls and behavioral patterns before allowing installation.

ThreatFabric explains the impact: “If the scan detects high risk permissions or suspicious APIs, the app is blocked from installation immediately, before the user can even interact with it.”

This makes the Pilot Program powerful, but also creates a well-defined defense playbook for adversaries to study—and bypass.

Modern droppers are now deliberately engineered to slip through the Pilot Program. The first stage looks harmless: low permissions, a simple “update” prompt, and minimal signals that might trigger Play Protect. Once trusted and installed, the second stage fetches or decrypts the real payload and requests sensitive permissions, often gated by server-side logic.

ThreatFabric warns: “Droppers no longer serve only heavyweight banking trojans… they now give even ‘simpler’ threats a survivability window. By the time anything looks risky, the first app is already trusted and running, exactly the timing gap modern droppers are engineered to exploit.”

One striking example is RewardDropMiner, a multi-purpose dropper capable of delivering spyware and even running a Monero (XMR) cryptocurrency miner in earlier versions.

Its functionality included:

• Delivering staged spyware payloads.
• Deploying fallback spyware if the main payload failed.
• Running a hidden Monero miner remotely.

In its latest version, RewardDropMiner.B, the miner and fallback spyware were removed—likely a move to reduce attention after its crypto wallets were exposed publicly. Still, it remains a highly effective dropper framework designed to bypass both Play Protect and the Pilot Program.

RewardDropMiner is not alone. ThreatFabric highlights several other dropper families engineered to evade Android 13 restrictions and Google’s scanning:

• SecuriDropper – Uses the Session Installer API to delay permission requests.
• Zombinder – Known for bundling malware with legitimate apps.
• BrokewellDropper – Distributes advanced banking malware.
• HiddenCatDropper – Deployed with stealth persistence.
• TiramisuDropper – Used in SpyNote RAT distribution campaigns.

ThreatFabric stresses: “For attackers, the strategy is simple: adapt the delivery method so the payload can still reach the victim, no matter what regional defences are in place.”

The rise of modern droppers shows how quickly cybercriminals adapt. ThreatFabric concludes: “Droppers have evolved from niche tools for high-end banking malware into universal installers for almost any type of malicious app… In this cat-and-mouse game, droppers aren’t slowing down as they’re just getting smarter.”

For defenders, this means relying solely on Play Protect or Google’s Pilot Program is not enough. Continuous monitoring, user awareness, and threat intelligence remain essential to stay ahead of smarter droppers and stealthier payloads.

Related Posts:

• Google Play Protect Takes Aim at Financial Fraud in India with New Pilot Program
• Firefox Pilots AI Search: Perplexity AI Integration Challenges Google’s Dominance
• “DuneQuixote” Campaign Targets Middle East with Evasive “CR4T” Malware
• ThreatFabric Reveals Dangerous Upgrades in LightSpy Spyware – 28 Plugins Targeting iOS Devices
• North Korea’s Cyber Shadow War: Unmasking RustBucket and KandyKorn