Researchers have recently brought to light a sophisticated Android malware framework known as MiningDropper. This discovery, made by security experts at Cyble Research and Intelligence Labs (CRIL), highlights a significant uptick in campaigns utilizing this modular platform, which is adept at distributing a variety of malicious payloads, including cryptocurrency miners, infostealers, Remote Access Trojans (RATs), and banking malware.
A Modular Android Malware Framework at Scale
MiningDropper distinguishes itself from conventional malware strains by functioning as a multi-stage delivery framework designed to evade detection while dynamically deploying payloads. Its architecture incorporates advanced techniques such as XOR-based obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation methods. These protective layers collectively hinder analysis and diminish the chances of detection by standard antivirus solutions.
In a striking revelation, over 1,500 MiningDropper samples have been detected in the wild within just one month, with more than half exhibiting minimal antivirus detection. Alarmingly, approximately 668 samples recorded only three antivirus detections, underscoring the widespread distribution and low visibility of this malware.
Lumolight as the Initial Infection Vector
A recent variant of MiningDropper employs a trojanized version of the open-source Lumolight application as its initial payload. Victims are often unaware that they are installing this compromised application, which is typically disseminated through phishing links, fraudulent websites, or social media campaigns. Upon installation, the malicious application activates a native library, “librequisitionerastomous.so,” which initiates the execution chain.
This native layer decrypts XOR-obfuscated strings at runtime and assesses whether the app is operating in an emulator or rooted environment. If such conditions are detected, the malware ceases execution to avoid scrutiny. Conversely, if no anomalies are found, it proceeds to decrypt and load the first-stage payload from the app’s assets.
Multi-Stage Payload Delivery Mechanism
The infection chain of MiningDropper unfolds through several stages:
- Initial Stage: The native code decrypts an embedded asset using a hardcoded XOR key, resulting in a DEX file. This file is dynamically loaded using DexClassLoader, executing a bootstrap component.
- First Stage: The bootstrap loader decrypts a second-stage payload utilizing AES encryption. The AES key is derived from the SHA-1 hash of the file name, complicating efforts for analysts to extract static keys.
- Second Stage: This stage presents a counterfeit Google Play update interface, employing social engineering tactics to maintain user trust. In the background, it decrypts additional payloads and configuration files, allowing the malware to operate in two modes: as a cryptocurrency miner or a user-defined malicious payload.
Configuration files, such as “norweyanlinkediting” (miner path) and “udela” (user payload path), dictate the malware’s behavior, including remote control capabilities, payload splits, and subscription timelines.
- Third Stage: The malware extracts a ZIP archive containing further DEX files and native libraries. Acting as a split-APK installer, it reconstructs and installs the final payload based on the configuration.
Campaigns Targeting Multiple Regions
CRIL has identified two primary campaign clusters leveraging MiningDropper:
- Infostealer Campaign (India): This campaign specifically targets Indian users by impersonating trusted entities such as Regional Transport Office (RTO) services, banks, telecom providers, and popular applications. In October 2025, a campaign utilizing RTO-themed lures distributed malicious APK files that ultimately deployed infostealers to harvest sensitive financial and personal data.
- BTMOB RAT Campaign (Global): Another campaign distributes MiningDropper across Europe, Latin America, and Asia. In this instance, the final payload is BTMOB RAT, a potent Android trojan first identified in February 2024 as a variant of SpySolr malware. It supports credential theft, real-time remote control, device takeover, and financial fraud operations.
Interestingly, while BTMOB RAT was initially distributed without obfuscation and detected by numerous antivirus engines, its integration with MiningDropper has significantly lowered detection rates to as few as one to three engines.
Final Payload Capabilities
The final payload delivered by MiningDropper is contingent upon the configuration:
- Infostealers: Extract sensitive data such as login credentials and financial information.
- RATs (e.g., BTMOB RAT): Enable full device compromise, including screen monitoring, file access, audio recording, and command execution via WebSocket-based communication.
- Banking Trojans: Facilitate financial fraud through credential harvesting and transaction manipulation.
- Cryptocurrency Miners: Utilize device resources for unauthorized mining operations.
The malware also exploits Android Accessibility Services to gain extensive control over infected devices, allowing it to simulate user interactions and grant additional permissions.
A Scalable Malware-as-a-Framework Model
MiningDropper exemplifies a notable shift toward malware frameworks that emphasize scalability and adaptability. Its capacity to alternate between payloads through configuration changes, without necessitating alterations to the core architecture, renders it highly reusable across various campaigns. This modularity empowers threat actors to swiftly expand their operations while maintaining low detection rates.
MiningDropper transcends the realm of typical Android malware strains. By merging advanced obfuscation techniques, multi-stage execution processes, and the exploitation of legitimate projects like Lumolight, it embodies a threat model capable of sustaining large-scale, global campaigns.
