Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Lurking Lizard Malware Creates Proxy Nodes via Fake 7-Zip Installers
July 8, 2026
Fake Indian Tax Notices Deliver Dual RAT Malware
July 8, 2026
DuckDuckGo Browser Uses Community Filter Lists to Block YouTube Ads
July 8, 2026
Home/Threats/MiningDropper Android Malware Delivers Infostealers, RATs, Banking Trojans
Threats

MiningDropper Android Malware Delivers Infostealers, RATs, Banking Trojans

Key Takeaways MiningDropper is a sophisticated, multi-stage Android malware framework actively deploying infostealers, Remote Access Trojans (RATs), and banking Trojans. The threat campaign targets...

David kimber
David kimber
April 20, 2026 4 Min Read
54 0

Key Takeaways

  • MiningDropper is a sophisticated, multi-stage Android malware framework actively deploying infostealers, Remote Access Trojans (RATs), and banking Trojans.
  • The threat campaign targets users globally, with notable activity observed in India, Europe, Latin America, and Asia.
  • Infection occurs through deceptive phishing pages, social media links, and fraudulent websites impersonating legitimate services.
  • MiningDropper employs advanced evasion techniques, including native code, encrypted assets, dynamic DEX loading, and anti-emulation checks, to bypass detection.
  • The modular nature of MiningDropper allows threat actors to easily swap out final payloads, enabling diverse attack objectives from data theft to real-time device control.

A rapidly expanding Android malware campaign, dubbed MiningDropper, is actively distributing a range of malicious payloads, including infostealers, remote access trojans (RATs), banking malware, and even cryptocurrency miners, to unsuspecting users. Researchers describe MiningDropper as a sophisticated, multi-stage delivery system designed for maximum impact and stealth.

Table Of Content

  • Key Takeaways
  • Infection Mechanism
  • What You Should Do

The attackers leverage a broad lure strategy, spreading their malicious applications through phishing pages, deceptive social media links, and fraudulent websites. These malicious sites often mimic legitimate services such as transport portals, banking institutions, telecom providers, and popular mobile applications, tricking users into downloading compromised APK files that initiate the complex payload chain.

Cyble researchers have reported a significant increase in MiningDropper activity, identifying multiple active campaigns across India, Europe, Latin America, and Asia. One specific cluster of attacks concentrated on Indian users, employing infostealer lures. Concurrently, another campaign utilized fake app download pages to deliver the potent BTMOB RAT to a broader regional audience.

The severity of MiningDropper stems from its design as a reusable framework, rather than a singular malicious application. This modularity grants threat actors the flexibility to interchange final payloads as needed, adapting their attack objectives without requiring a complete overhaul of their tools. Over the past month, Cyble’s telemetry detected more than 1,500 distinct samples of MiningDropper in circulation, many of which exhibited very low antivirus detection rates.

Infection Mechanism

The operational complexity of MiningDropper significantly hinders its detection and neutralization. Its layered architecture incorporates native code, encrypted assets, dynamic DEX loading, and anti-emulation checks, all designed to delay and complicate analysis. The malware does not expose its full malicious capabilities immediately; instead, each stage progressively unlocks the next only after passing initial checks, thereby minimizing what static scanners can identify.

The infection sequence commences with a trojanized version of the open-source Android project LumoLight. Malicious activities are initiated via a native library named librequisitionerastomous.so. Within this library, critical strings are obfuscated using XOR encryption and are only decrypted at runtime, further complicating code inspection and helping the malware evade detection thresholds.

The same native component also performs environmental checks, scrutinizing platform details, system architecture, and device model information to determine if it is operating within an emulator or a rooted environment. Should the environment appear suspicious to the attackers, the malware can halt its harmful operations, effectively bypassing sandboxes and automated analysis systems.

Upon successful completion of these checks, the library decrypts an asset identified as x7bozjy2pg4ckfhn using a hardcoded XOR key. This process generates the first-stage DEX payload, which is then loaded for execution using DexClassLoader. Subsequently, this first stage decrypts a second-stage file using AES encryption. The encryption key material is ingeniously derived from the filename itself, a technique that conceals the key logic and further complicates reverse engineering efforts.

The second stage is often the first visible indicator of compromise for victims, as it can display a deceptive fake Google Play update screen. This ruse aims to normalize the infection process. Behind this facade, the malware decrypts additional files, reads configuration data, and determines whether to activate a cryptocurrency miner or proceed with a user-defined payload path for subsequent installation.

In the user-defined payload branch, MiningDropper decrypts a ZIP archive containing split components, reconstructs the final package, and then installs a more potent threat, such as the BTMOB RAT, through a third-stage installer. According to Cyble, this final payload is highly capable, facilitating credential theft via WebView injections, keystroke logging, data exfiltration, abuse of Accessibility Services, and supporting real-time remote control, screen monitoring, file management, audio recording, and arbitrary command execution.

For cybersecurity defenders, the emergence of MiningDropper underscores a growing trend in Android threats: the shift towards modular, reusable malware frameworks. These frameworks decouple the processes of delivery, deception, and monetization, allowing threat actors to rapidly pivot between objectives like banking fraud, espionage-style access, and silent cryptocurrency mining without needing to rebuild their entire toolkit for each new campaign.

What You Should Do

  • Download Apps Only from Trusted Sources: Restrict app installations to official app stores like Google Play. Avoid downloading APK files from third-party websites, untrusted links, or unofficial app markets.
  • Exercise Caution with Links: Be highly suspicious of links received via SMS, email, or social media, especially if they promise updates, special offers, or mimic legitimate services. Verify the authenticity of senders and links before clicking.
  • Review App Permissions: Before installing any application, carefully review the permissions it requests. Be wary of apps asking for excessive or irrelevant permissions (e.g., a calculator app requesting access to your contacts or SMS).
  • Keep Android OS Updated: Regularly update your Android operating system and all installed applications. Updates often include critical security patches that protect against known vulnerabilities.
  • Enable Multi-Factor Authentication (MFA): Implement MFA for all sensitive accounts, especially banking and financial applications. This adds an extra layer of security, making it harder for attackers to gain access even if they steal your credentials.
  • Report Suspicious Activity: If you suspect your device has been compromised or notice unusual financial transactions, immediately report it to your bank or relevant financial institution and take steps to secure your accounts.
  • Use a Reputable Mobile Security Solution: Install and maintain an up-to-date mobile antivirus or security application on your Android device to help detect and block malware.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarephishingThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Microsoft RDP Vulnerability CVE-2024-21323 Lets Attackers Impersonate Servers

Next Post

NSA Uses Anthropic Mythos AI Despite Pentagon Blacklist

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Claude Cowork Critical Flaw Exposes AI Sessions to Remote Access
July 8, 2026
Exposed Payload Generator Creates Polymorphic Banking Malware Variants for Banana RAT
July 8, 2026
Mycelium Framework: First AI-as-a-Service Botnet Discovered
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us