A new wave of Android malware is exploiting Facebook ads and fake government apps to infiltrate users’ devices across Europe and Asia. Security firms warn that “dropper” apps are being fine-tuned to bypass Google Play’s protections, disguising banking trojans and spyware as legitimate tools, with India among the key targets.
A Campaign Masquerading as Trust
Cybersecurity researchers have uncovered a sophisticated campaign where malicious ads on Facebook and rogue Android apps are being used to spread upgraded versions of the Brokewell banking trojan. It has been reported that since late July 2025, more than 75 malicious ads have circulated in the European Union alone, offering counterfeit “premium” versions of apps like TradingView. Once installed, these apps deploy malware capable of monitoring, controlling, and exfiltrating sensitive information from victims’ devices.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
The campaign extends far beyond Europe. Security experts noted that in India, fraudulent apps such as PM Yojana 2025, fake RTO Challan apps, and counterfeit SBI and Axis Bank apps were delivered via a malware loader known as RewardDropMiner. These apps disguised themselves as trusted financial or government services, tricking users into granting permissions that later enabled spyware and banking trojans.
An Escalating Cat-and-Mouse Game
At the heart of this surge lies the evolution of “dropper” apps malware designed not to cause immediate harm but to sneak harmful payloads past security defenses. By presenting themselves as harmless updates or low-risk apps, droppers evade Google Play Protect’s automated scans. Only after installation do they fetch dangerous code from external servers, including spyware and SMS-stealers.
A security firm, warned that attackers are “future-proofing” operations by adapting droppers to bypass Google’s new Pilot Program, a security measure deployed in markets like India, Singapore, and Brazil. By avoiding high-risk permission requests and mimicking routine updates, these droppers are able to remain undetected until users themselves trigger the malicious payload.
Google, in response, emphasized that Play Protect continuously updates protections and has not detected the specific malware variants in the official Play Store. Still, researchers argue that Play Protect’s reliance on user interaction such as clicking “Install anyway” creates a critical gap that criminals are exploiting.
Global Implications for Mobile Security
The campaign reveals broader trends in the Android malware ecosystem. Researchers point to a growing reliance on crypto apps, trading platforms, and mobile banking as primary lures. By targeting these sectors, cybercriminals maximize both user trust and financial payoff.
Beyond spyware and banking trojans, droppers like RewardDropMiner have also been linked to cryptocurrency miners, though newer versions have abandoned this function in favor of more stealthy data-stealing capabilities. The abuse of Facebook ads as distribution channels further amplifies the threat, enabling attackers to reach tens of thousands of users quickly.
Cybersecurity experts stress that this is not an isolated incident but part of a larger wave of malvertising operations hitting both Android and Windows platforms.