MiningDropper Android Malware Delivers Infostealers, RATs, Banking Trojans
Key Takeaways MiningDropper is a sophisticated, multi-stage Android malware framework actively deploying infostealers, Remote Access Trojans (RATs), and banking Trojans. The threat campaign targets...
Key Takeaways
- MiningDropper is a sophisticated, multi-stage Android malware framework actively deploying infostealers, Remote Access Trojans (RATs), and banking Trojans.
- The threat campaign targets users globally, with notable activity observed in India, Europe, Latin America, and Asia.
- Infection occurs through deceptive phishing pages, social media links, and fraudulent websites impersonating legitimate services.
- MiningDropper employs advanced evasion techniques, including native code, encrypted assets, dynamic DEX loading, and anti-emulation checks, to bypass detection.
- The modular nature of MiningDropper allows threat actors to easily swap out final payloads, enabling diverse attack objectives from data theft to real-time device control.
A rapidly expanding Android malware campaign, dubbed MiningDropper, is actively distributing a range of malicious payloads, including infostealers, remote access trojans (RATs), banking malware, and even cryptocurrency miners, to unsuspecting users. Researchers describe MiningDropper as a sophisticated, multi-stage delivery system designed for maximum impact and stealth.
Table Of Content
The attackers leverage a broad lure strategy, spreading their malicious applications through phishing pages, deceptive social media links, and fraudulent websites. These malicious sites often mimic legitimate services such as transport portals, banking institutions, telecom providers, and popular mobile applications, tricking users into downloading compromised APK files that initiate the complex payload chain.
Cyble researchers have reported a significant increase in MiningDropper activity, identifying multiple active campaigns across India, Europe, Latin America, and Asia. One specific cluster of attacks concentrated on Indian users, employing infostealer lures. Concurrently, another campaign utilized fake app download pages to deliver the potent BTMOB RAT to a broader regional audience.
The severity of MiningDropper stems from its design as a reusable framework, rather than a singular malicious application. This modularity grants threat actors the flexibility to interchange final payloads as needed, adapting their attack objectives without requiring a complete overhaul of their tools. Over the past month, Cyble’s telemetry detected more than 1,500 distinct samples of MiningDropper in circulation, many of which exhibited very low antivirus detection rates.
Infection Mechanism
The operational complexity of MiningDropper significantly hinders its detection and neutralization. Its layered architecture incorporates native code, encrypted assets, dynamic DEX loading, and anti-emulation checks, all designed to delay and complicate analysis. The malware does not expose its full malicious capabilities immediately; instead, each stage progressively unlocks the next only after passing initial checks, thereby minimizing what static scanners can identify.
The infection sequence commences with a trojanized version of the open-source Android project LumoLight. Malicious activities are initiated via a native library named librequisitionerastomous.so. Within this library, critical strings are obfuscated using XOR encryption and are only decrypted at runtime, further complicating code inspection and helping the malware evade detection thresholds.
The same native component also performs environmental checks, scrutinizing platform details, system architecture, and device model information to determine if it is operating within an emulator or a rooted environment. Should the environment appear suspicious to the attackers, the malware can halt its harmful operations, effectively bypassing sandboxes and automated analysis systems.
Upon successful completion of these checks, the library decrypts an asset identified as x7bozjy2pg4ckfhn using a hardcoded XOR key. This process generates the first-stage DEX payload, which is then loaded for execution using DexClassLoader. Subsequently, this first stage decrypts a second-stage file using AES encryption. The encryption key material is ingeniously derived from the filename itself, a technique that conceals the key logic and further complicates reverse engineering efforts.
The second stage is often the first visible indicator of compromise for victims, as it can display a deceptive fake Google Play update screen. This ruse aims to normalize the infection process. Behind this facade, the malware decrypts additional files, reads configuration data, and determines whether to activate a cryptocurrency miner or proceed with a user-defined payload path for subsequent installation.
In the user-defined payload branch, MiningDropper decrypts a ZIP archive containing split components, reconstructs the final package, and then installs a more potent threat, such as the BTMOB RAT, through a third-stage installer. According to Cyble, this final payload is highly capable, facilitating credential theft via WebView injections, keystroke logging, data exfiltration, abuse of Accessibility Services, and supporting real-time remote control, screen monitoring, file management, audio recording, and arbitrary command execution.
For cybersecurity defenders, the emergence of MiningDropper underscores a growing trend in Android threats: the shift towards modular, reusable malware frameworks. These frameworks decouple the processes of delivery, deception, and monetization, allowing threat actors to rapidly pivot between objectives like banking fraud, espionage-style access, and silent cryptocurrency mining without needing to rebuild their entire toolkit for each new campaign.
What You Should Do
- Download Apps Only from Trusted Sources: Restrict app installations to official app stores like Google Play. Avoid downloading APK files from third-party websites, untrusted links, or unofficial app markets.
- Exercise Caution with Links: Be highly suspicious of links received via SMS, email, or social media, especially if they promise updates, special offers, or mimic legitimate services. Verify the authenticity of senders and links before clicking.
- Review App Permissions: Before installing any application, carefully review the permissions it requests. Be wary of apps asking for excessive or irrelevant permissions (e.g., a calculator app requesting access to your contacts or SMS).
- Keep Android OS Updated: Regularly update your Android operating system and all installed applications. Updates often include critical security patches that protect against known vulnerabilities.
- Enable Multi-Factor Authentication (MFA): Implement MFA for all sensitive accounts, especially banking and financial applications. This adds an extra layer of security, making it harder for attackers to gain access even if they steal your credentials.
- Report Suspicious Activity: If you suspect your device has been compromised or notice unusual financial transactions, immediately report it to your bank or relevant financial institution and take steps to secure your accounts.
- Use a Reputable Mobile Security Solution: Install and maintain an up-to-date mobile antivirus or security application on your Android device to help detect and block malware.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.