NEWS Google's New Defense: "We'll Teach You Not to Download Junk." Hackers: "And We'll Teach the Junk to Download Itself."

ExcalibuR

Legend
LEGEND
PREMIUM
MEMBER
Joined
Jan 17, 2025
Messages
4,030
Reaction score
7,918
Deposit
11,800$
Google's New Defense: "We'll Teach You Not to Download Junk." Hackers: "And We'll Teach the Junk to Download Itself."
1756811476750.png
Malicious actors have forced Google Play Protect to remain silent.

Subtle droppers, long serving as auxiliary tools in the arsenal of banking trojans and RAT tools for Android, are now rapidly transforming. Specialists at ThreatFabric have detected an alarming trend: droppers are now being actively used to deliver much simpler malware—from spyware to SMS-stealing malware. And crucially, their architecture is already adapted to bypass Google's new protection system called the Pilot Program.

The essence of a dropper is its disguise: it appears to be a regular application with no signs of malicious code, but after installation on a device, it extracts the primary malicious component. This allows it to bypass initial security checks, including Play Protect mechanisms. This approach became especially relevant after the tightening of Android 13 policies, which restricted access to APIs and sensitive permissions. However, droppers have adapted even to this by requesting access to functions, such as Accessibility Services, after the payload is installed.

The Pilot Program was created by Google specifically to combat financial fraud in countries with high attack levels, including India, Brazil, Thailand, and Singapore. Unlike the standard Play Protect check, this system analyzes applications at the moment of installation, especially when downloaded from third-party sources. The program blocks installation if it detects suspicious permissions—for example, reading and receiving SMS, notifications, or access to accessibility features. However, malicious actors quickly found a way to bypass these checks as well.

Modern droppers, specifically "sharpened" to evade the Pilot Program, intentionally make the first installation stage as "quiet" as possible: without requests for dangerous permissions, without suspicious code, and with a simple "splash screen" about an update. In one experiment, researchers tried to install a legitimate but permission-sensitive SMS Messenger app via a dropper. In this bypass scheme, the dropper passes the initial scanning stage without any problems, showing only an "Update" button. The real activity begins later—after the user clicks, when the payload is downloaded or decrypted and all necessary permissions are requested. In this scenario, Play Protect might still warn about a threat, but the final decision ultimately remains with the user.

Thus, a time window appears between the initial installation and the launch of the main malicious function, which is exploited by attackers. Even "simple" malware that doesn't need special permissions is now hidden inside droppers—simply because it increases their chances of successful infiltration.

One prominent example is RewardDropMiner—a multi-purpose dropper that has been used at various stages to deliver spyware, launch backup malicious code, and even for hidden Monero mining. In its latest version, known as RewardDropMiner.B, the miner and spyware functionality was removed—apparently in response to publicity and the identification of the wallets used.

However, RewardDropMiner is far from the only representative of the new generation of droppers. Researchers point to a whole series of similar samples: SecuriDropper, Zombinder, BrokewellDropper, HiddenCatDropper, TiramisuDropper. Some of them use a two-phase installation via the Session Installer API, allowing them to hide real permission requests and mask malicious activity. Others, like Zombinder, are actively distributed through WhatsApp or fake websites.

This approach allows attackers not only to maintain access to devices but also to guarantee payload delivery regardless of the region or protections of the Android environment. Essentially, droppers have become a universal installer for malware of any complexity level—from trivial spies to complex banking trojans.

Specialists emphasize: the Play Protect system and the Pilot Program are indeed capable of stopping many threats, but only within the framework of a dynamically developing defense system. Malicious actors adapt quickly—so quickly that solutions effective today may become useless tomorrow. The evolution of droppers is a vivid confirmation of this. They are not disappearing; they are becoming smarter and more inventive, and this requires defense solutions to develop at the same rapid pace.
 
Top Bottom