MiningDropper Unleashes Multi-Stage Android Malware Framework, Compromising Over 1,500 Devices in a Month

Recent findings from Cyble Research and Intelligence Labs (CRIL) have revealed a significant rise in the use of a sophisticated Android malware framework known as MiningDropper. This modular platform is capable of distributing various malicious payloads, including cryptocurrency miners, infostealers, Remote Access Trojans (RATs), and banking malware. The implications of this discovery are profound, as it highlights the evolving landscape of mobile threats and the increasing sophistication of cybercriminals.

A Modular Android Malware Framework at Scale

MiningDropper is not a typical malware strain; it functions as a multi-stage delivery framework designed to evade detection and dynamically deploy payloads. Its architecture incorporates advanced techniques such as XOR-based obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation measures. These layers work in concert to delay analysis and significantly reduce the likelihood of detection by conventional antivirus solutions.

In just one month, over 1,500 MiningDropper samples have been identified in the wild, with more than 50% exhibiting minimal antivirus detection. Alarmingly, around 668 samples recorded only three antivirus detections, signifying widespread distribution with low visibility.

Lumolight as the Initial Infection Vector

A recent variant of MiningDropper leverages a trojanized version of the open-source Lumolight application as its initial payload. Victims unknowingly install this compromised application through phishing links, fraudulent websites, or social media campaigns. Once installed, the malicious application activates a native library, “librequisitionerastomous.so,” which initiates the malware’s execution chain.

This native layer decrypts XOR-obfuscated strings at runtime and checks whether the app is operating in an emulator or rooted environment. If such conditions are detected, the malware halts execution to avoid analysis. Otherwise, it proceeds to decrypt and load the first-stage payload from the app’s assets.

Multi-Stage Payload Delivery Mechanism

MiningDropper’s infection chain unfolds across multiple stages:

• Initial Stage: The native code decrypts an embedded asset using a hardcoded XOR key, producing a DEX file. This file is dynamically loaded using DexClassLoader and executes a bootstrap component.

• First Stage: The bootstrap loader decrypts a second-stage payload using AES encryption. The AES key is derived from the SHA-1 hash of the file name, complicating static key extraction for analysts.

• Second Stage: This stage presents a fake Google Play update interface, employing social engineering tactics to maintain user trust. Behind the scenes, it decrypts additional payloads and configuration files, allowing the malware to operate in two modes: as a cryptocurrency miner or a user-defined malicious payload.

Configuration files dictate behavior, including parameters for remote control capabilities, payload splits, and subscription timelines.

• Third Stage: The malware extracts a ZIP archive containing further DEX files and native libraries. Acting as a split-APK installer, it reconstructs and installs the final payload based on the configuration.

Campaigns Targeting Multiple Regions

CRIL has identified two primary campaign clusters utilizing MiningDropper:

• Infostealer Campaign (India): This campaign targets Indian users by impersonating trusted entities such as Regional Transport Office (RTO) services, banks, and telecom providers. In October 2025, a campaign using RTO-themed lures distributed malicious APK files that ultimately deployed infostealers to harvest sensitive financial and personal data.

• BTMOB RAT Campaign (Global): Another campaign distributes MiningDropper across Europe, Latin America, and Asia. Here, the final payload is BTMOB RAT, a powerful Android trojan first identified in February 2024 as a variant of SpySolr malware. It supports credential theft, real-time remote control, device takeover, and financial fraud operations.

Interestingly, while BTMOB RAT was initially distributed without obfuscation and detected by multiple antivirus engines, its integration with MiningDropper has reduced detection rates to as low as one to three engines.

Final Payload Capabilities

The final payload delivered by MiningDropper depends on the configuration:

• Infostealers: Extract sensitive data such as login credentials and financial information.

• RATs (e.g., BTMOB RAT): Enable full device compromise, including screen monitoring, file access, audio recording, and command execution via WebSocket-based communication.

• Banking Trojans: Facilitate financial fraud through credential harvesting and transaction manipulation.

• Cryptocurrency Miners: Utilize device resources for unauthorized mining operations.

The malware also exploits Android Accessibility Services to gain extensive control over infected devices, allowing it to simulate user interactions and grant additional permissions.

A Scalable Malware-as-a-Framework Model

MiningDropper exemplifies a shift towards malware frameworks that prioritize scalability and adaptability. Its ability to switch between payloads using configuration changes, without altering the core architecture, makes it highly reusable across campaigns. This modularity enables threat actors to rapidly expand operations while maintaining low detection rates.

MiningDropper represents more than just another Android malware strain. By combining advanced obfuscation, multi-stage execution, and the exploitation of legitimate projects like Lumolight, it poses a significant threat capable of sustaining large-scale, global campaigns.

Source: thecyberexpress.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.