Researchers have uncovered an Android malware framework dubbed the MiningDropper. Security researchers at Cyble Research and Intelligence Labs (CRIL) have identified a sharp increase in campaigns using MiningDropper, a modular platform capable of distributing multiple types of malicious payloads, including cryptocurrency miners, infostealers, Remote Access Trojans (RATs), and banking malware.
A notable aspect of this campaign is its abuse of the open-source Lumolight application, which has been repurposed as a trojanized entry point.
A Modular Android Malware Framework at Scale
MiningDropper is not a conventional malware strain. Instead, it operates as a multi-stage delivery framework designed to evade detection and dynamically deploy payloads. Its architecture integrates XOR-based obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques. These layers collectively delay analysis and reduce the likelihood of detection by traditional antivirus solutions.
Over 1,500 MiningDropper samples have been observed in the wild within a single month, with more than 50% showing minimal antivirus detection. Notably, around 668 samples registered only three antivirus detections, indicating widespread distribution with low visibility.
Lumolight as the Initial Infection Vector
A recent variant of MiningDropper uses a trojanized version of Lumolight as its initial payload. Victims unknowingly install this compromised application through phishing links, fraudulent websites, or social media campaigns. Once installed, the malicious application triggers a native library, “librequisitionerastomous.so”, which begins the execution chain.
This native layer decrypts XOR-obfuscated strings at runtime and checks whether the app is running in an emulator or rooted environment. If such conditions are detected, the malware halts execution to avoid analysis. Otherwise, it proceeds to decrypt and load the first-stage payload from the app’s assets.
Multi-Stage Payload Delivery Mechanism
MiningDropper’s infection chain unfolds across multiple stages:
- Initial Stage: The native code decrypts an embedded asset using a hardcoded XOR key, producing a DEX file. This file is dynamically loaded using DexClassLoader and executes a bootstrap component.
- First Stage: The bootstrap loader decrypts a second-stage payload using AES encryption. The AES key is derived from the SHA-1 hash of the file name, making it harder for analysts to extract static keys.
- Second Stage: This stage presents a fake Google Play update interface, a social engineering tactic designed to maintain user trust. Behind the scenes, it decrypts additional payloads and configuration files. The malware can operate in two modes: a cryptocurrency miner or a user-defined malicious payload.
Configuration files such as “norweyanlinkediting” (miner path) and “udela” (user payload path) dictate the behavior. These configurations include parameters like remote control capabilities, payload splits, and subscription timelines.
- Third Stage: The malware extracts a ZIP archive containing further DEX files and native libraries. Acting as a split-APK installer, it reconstructs and installs the final payload based on the configuration.
Campaigns Targeting Multiple Regions
CRIL identified two primary campaign clusters leveraging MiningDropper:
- Infostealer Campaign (India): This campaign targets Indian users by impersonating trusted entities such as Regional Transport Office (RTO) services, banks, telecom providers, and popular apps. In October 2025, a campaign using RTO-themed lures distributed malicious APK files that ultimately deployed infostealers to harvest sensitive financial and personal data.
- BTMOB RAT Campaign (Global): Another campaign distributes MiningDropper across Europe, Latin America, and Asia. In this case, the final payload is BTMOB RAT, a powerful Android trojan first identified in February 2024 as a variant of SpySolr malware. It supports credential theft, real-time remote control, device takeover, and financial fraud operations.
Interestingly, while BTMOB RAT was initially distributed without obfuscation and detected by multiple antivirus engines, its integration with MiningDropper has reduced detection rates to as low as one to three engines.
Final Payload Capabilities
The final payload delivered by MiningDropper depends on the configuration:
- Infostealers: Extract sensitive data such as login credentials and financial information.
- RATs (e.g., BTMOB RAT): Enable full device compromise, including screen monitoring, file access, audio recording, and command execution via WebSocket-based communication.
- Banking Trojans: Facilitate financial fraud through credential harvesting and transaction manipulation.
- Cryptocurrency Miners: Utilize device resources for unauthorized mining operations.
The malware also abuses Android Accessibility Services to gain extensive control over infected devices, allowing it to simulate user interactions and grant additional permissions.
A Scalable Malware-as-a-Framework Model
MiningDropper demonstrates a shift toward malware frameworks that prioritize scalability and adaptability. Its ability to switch between payloads using configuration changes, without altering the core architecture, makes it highly reusable across campaigns. This modularity enables threat actors to rapidly expand operations while maintaining low detection rates.
MiningDropper is more than just another Android malware strain. By combining advanced obfuscation, multi-stage execution, and the exploitation of legitimate projects like Lumolight, it represents a threat model capable of sustaining large-scale, global campaigns.
