The way they usually work is they give you some string and you sign it to prove you own the address.

Could a malicious air drop make a transaction sending all your BTC to them, and then you sign it, and then they broadcast it to the network?
Or is signing a message different than signing a transaction?