The way they usually work is they give you some string and you sign it to prove you own the address.
Could a malicious air drop make a transaction sending all your BTC to them, and then you sign it, and then they broadcast it to the network?
Or is signing a message different than signing a transaction?
Airdrops are free , there is no way that they will sign a message just to get a free tokens. If you see that kind of malicious it is not an airdrop at all. I have been receiving free rewards of tokens from airdrops and all what i have to do is just fill their form with the etherium address that i have. And wait for them to distribute the tokens.