Droppers have long been a cornerstone of Android malware campaigns. They’re small, seemingly harmless apps whose real job is to fetch and install a malicious payload. Historically, they were most widely used in families like banking trojans and, at times, Remote Access Trojans (RATs). Especially after Android 13 restricted permissions and APIs, these threats leaned on droppers to slip past upfront scanning and later request powerful permissions (such as Accessibility Services) upon installing payload, without drawing attention.

In recent months, we at ThreatFabric have observed a clear shift. Alongside banking trojans, droppers were also used in campaigns delivering relatively “simple” malware such as SMS stealers and basic spyware, often disguised as government or banking apps in India and other parts of Asia. At first glance, that feels like overkill; these families don’t necessarily rely on Accessibility abuse. So why distribute them in a dropper at all?

Our research points to two main drivers. First, Google Play Protect’s defences, particularly the targeted Pilot Program are increasingly effective at stopping risky apps before they run. Second, actors want to future-proof their operations. By encapsulating even basic payloads inside a dropper, they gain a protective shell that can evade today’s checks while staying flexible enough to swap payloads and pivot campaigns tomorrow.

The Pilot Program: What It Is and Why It Matters

The Pilot Program is Google’s enhanced scanning initiative aimed at tackling financial fraud on Android devices in high-risk regions such as India, Brazil, Thailand, and Singapore, with a likely expansion to other parts of Asia in the near future.

Unlike standard Play Protect scans, the Pilot Program scans right before an application is installed, especially when the app is side-loaded from a third-party source, and further blocks installation if the app has risky permissions. It inspects apps for dangerous permissions ("they are RECEIVE_SMS, READ_SMS, BIND_Notifications, and Accessibility"), suspicious API calls, and high risk behaviours before the app is allowed to be installed. If the scan detects high risk permissions or suspicious APIs, the app is blocked from installation immediately, before the user can even interact with it.

The goal of the program is to stop malicious or suspicious apps before they can request sensitive permissions, and block those that try to obtain unnecessary access to a user’s data or device features.

In our tests we attempted to install a legitimate application, SMS Messenger, downloaded from a third-party source. Since it (legitimately) requires permissions from the block list, it is effectively blocked by Play Protect as a part of the Pilot Program as illustrated below:

By focusing on regions with higher fraud activity, Google maximises protection where it’s needed most. However, this targeted approach also gives attackers a well-defined set of defences to study and ultimately find ways to bypass.

The New Face of Droppers: Targeting Pilot Program

What’s changed with droppers isn’t just volume, it’s intent. Modern droppers are now being built with the Google's Pilot Program in mind. Stage one is deliberately quiet: low signal code, no high risk permissions, and a harmless “update” screen that sails through pre run scanning in Pilot enrolled regions.

In our test, we used a dropper application to attempt installing the same SMS Messenger app, which carried risky permissions. The test dropper was purpose-built to mimic those we discovered in the wild, holding the same permissions and activities. The goal was to demonstrate how droppers help bypass Google’s security scanning mechanisms.

As demonstrated below, the dropper installs successfully, showing nothing more than an “update” prompt. In the background, once the user clicks the Update button, the second act begins fetching or decrypting the real payload, then requesting the sensitive permissions it needs on launching the payload, often gated by a quick server-side decision. Play Protect may display alerts about the risks, as a part of a different scan, but as long as the user accepts them, the app is installed, and the payload is delivered.

This illustrates a critical gap: Play Protect still allows risky apps through if the user clicks Install anyway and the malware still slips through the Pilot Program (while it should have been blocked from installation).

Droppers no longer serve only heavyweight banking trojans that need Accessibility later; they now give even “simpler” threats a survivability window. By the time anything looks risky, the first app is already trusted and running, exactly the timing gap modern droppers are engineered to exploit. In short, actors are watching the security landscape closely, learning how the Pilot Program evaluates apps, and deliberately engineering around it.

RewardDropMiner: A Multi-Purpose Dropper

One example that we have discovered from our own research is RewardDropMiner, a dropper that not only delivers payloads but also previously hid a Monero cryptocurrency miner..

RewardDropMiner works in stages, focusing to first getting onto the device, then carefully unpacking its payloads, all while hiding its tracks. RewardDropMiner could:

• Deliver spyware or other payloads via a staged installation process.

• Deploy its own fallback spyware based on Installer configuration if the main payload failed.

• Even run a hidden Monero (XMR) cryptocurrency miner triggered remotely.

What’s notable here is that it doesn’t just evade Play Protect, it’s also capable of slipping past the Pilot Program’s permission/API scanning. But in the most recent variant (RewardDropMiner.B), the operator has stripped out both the miner and the fallback spyware, keeping only the dropper functionality. We suspect this is a deliberate move by the developer behind the malware to reduce attention after several public reports exposed its mining operations and wallet addresses .

It’s Not Just RewardDropMiner

While RewardDropMiner is a strong example, it’s far from alone. Any dropper that avoids triggering Play Protect or the Pilot Program raises red flags. For example, Dropper family such as SecuriDropper, a Two-staged dropper that was basically built to bypass Android 13 restrictions reported by us installs payload using Session Installer API which by delaying permission requests until after installation or by embedding payloads in less obvious ways that can bypass these protections.

We’ve seen similar techniques in multiple droppers such as Zombinder, BrokewellDropper, HiddenCatDropper tied to banking malware, and TiramisuDropper, Zombinder in distributing SpyNote samples, especially those distributed through messaging apps like WhatsApp or via fake websites.
For attackers, the strategy is simple: adapt the delivery method so the payload can still reach the victim, no matter what regional defences are in place.

Conclusion

Based on the trend of Droppers increasing day by day, cybercriminals are quick learners. As soon as new defences like the Pilot Program appear, they start reengineering their tools to sidestep them. Droppers have evolved from niche tools for high-end banking malware into universal installers for almost any type of malicious app that may be big or small that basically needs to get past regional defences.

The takeaway is simple: Play Protect and the Pilot Program work, but only as part of a constantly evolving defence strategy. Detection needs to adapt as quickly as the threats themselves. In this cat-and-mouse game, droppers aren’t slowing down as they’re just getting smarter.