Dropper (malware)

From Wikipedia, the free encyclopedia

A dropper[1][2] is a kind of Trojan that has been designed to "install"  malware (virus, backdoor, etc.) to a computer. The malware code can be contained within the dropper in such a way as to avoid detection by virus scanners; or the dropper may download the malware to the targeted computer once activated.

There are two types of droppers. The first is known as a persistent dropper. Upon running the malware, it hides itself on the device. It then modifies the system registry keys. Even if the malware is removed the hidden file will execute upon rebooting the system. This allows it to reinstall the malware even if it was previously removed. The second type is known as a non-persistent dropper. It is less dangerous because upon executing its payload it removes itself from the system. This way, when the malware is removed it will not be able to reinstall itself.[3]

A Trojan works by disguising itself into another program. It then requires the user to click on it to be executed. It unpacks code and then loads the payload into memory. It then installs the malicious software (malware).[4] A notable example of such malware is GCleaner, which is a dropper that disguises itself as a genuine PC optimization program.[5]

In order to prevent malware droppers from infecting a computer, precautions can be taken. For example, not opening links from unknown sources, and downloading software only from known verified distributors, such as the Microsoft Store and the Apple App Store. Also a firewall can be used to allow only incoming traffic from verified sources.[3] Droppers can also work on mobile devices. For instance, if a user downloads an application from a link in a text message, upon the installation of the application the dropper infects the device with malware. An example of a Trojan dropper created for mobile devices is the Sharkbot dropper.[6][7] It is a financial Trojan that takes user's funds by exploiting an Automatic Transfer Service (ATS). This can automatically complete financial transaction fields with almost no user help. This allows an attacker to quickly transfer funds out of a user's mobile banking applications. This type of malware is not found in app stores. Instead, it has to be installed through a process called sideloading.[7]

See also[edit]


  1. ^ "Trojan.Dropper". www.symantec.com. Archived from the original on 24 March 2007.
  2. ^ "What is dropper - Definition from WhatIs.com". techtarget.com.
  3. ^ a b Saurbh, Utkarsh (2022). Explained: Types of Dropper malware and how to prevent yourself from them [GADGETS NEWS] (Thesis). ProQuest 2651840630.
  4. ^ "Explainer: What is a dropper malware and how to prevent its attack". The Times of India. 2 March 2022. ProQuest 2634604466.
  5. ^ "GCleaner Malware Analysis, Overview by ANY.RUN".
  6. ^ Research, RIFT; Team, Intelligence Fusion (2022-03-03). "SharkBot: a "new" generation Android banking Trojan being distributed on Google Play Store". NCC Group Research. Retrieved 2022-12-03.
  7. ^ a b Arntz, Pieter. "SharkBot Android banking Trojan cleans users out". Malwarebytes. Retrieved 2022-12-03.