A fast growing Android malware campaign is using a framework called MiningDropper to push far more dangerous threats onto phones disguised as normal apps.
Researchers describe it as a multi stage delivery system that can lead to infostealers, remote access trojans, banking malware, or even cryptocurrency mining activity on infected devices.
The campaign reaches victims through phishing pages, social media links, and fraudulent websites that mimic trusted services, including transport portals, banks, telecom brands, and popular mobile applications.
That broad lure strategy gives attackers many ways to trick users into downloading malicious APK files before the hidden payload chain begins.
Cyble researchers said they observed a notable surge in MiningDropper activity and linked the malware to multiple campaigns now operating across India, Europe, Latin America, and Asia.
One cluster focused on Indian users with infostealer lures, while another delivered BTMOB RAT to wider regional targets through fake app download pages.
The impact is serious because MiningDropper is not just a single malicious app but a reusable framework that lets threat actors swap final payloads as needed.
Cyble’s telemetry found more than 1,500 samples in the wild over the past month, and many showed very low antivirus detection.
Infection mechanism
What makes the operation harder to stop is its layered design, which mixes native code, encrypted assets, dynamic DEX loading, and anti emulation checks to delay analysis.
Instead of exposing the final malware at once, each stage unlocks the next one only after earlier checks pass, reducing what static scanners can immediately see.
MiningDropper attack chain (Source – Cyble)
The chain starts with a trojanized version of the open source Android project LumoLight, where malicious actions are launched through the native library librequisitionerastomous.so.
Initializing native code execution (Source – Cyble)
Inside that library, strings are hidden with XOR obfuscation and decrypted only at runtime, making the code harder to inspect and easier to keep below detection thresholds.
The same native component also checks platform details, system architecture, and device model information to decide whether it is running inside an emulator or rooted environment.
If the environment looks suspicious from the attacker’s view, the malware can stop its harmful activity, which helps it avoid sandboxes and automated analysis systems.
When those checks pass, the library decrypts an asset named x7bozjy2pg4ckfhn with a hardcoded XOR key, produces the first stage DEX payload, and loads it with DexClassLoader for further execution.
That first stage then decrypts a second stage file with AES, using key material derived from the filename, a choice that hides the key logic and complicates reverse engineering.
The second stage is the part most victims would notice because it can display a fake Google Play update screen, illustrated in Figure 10 Fake Google Play Update activity, to make the infection look routine.
Behind that screen, it decrypts more files, reads configuration data, and decides whether to activate a miner path or a user defined payload path for later installation.
In the user payload branch, the malware decrypts a ZIP archive and split components, rebuilds the final package, and installs a more capable threat such as BTMOB RAT through the third stage installer.
Cyble said that final payload can steal credentials through WebView injections, log keystrokes, exfiltrate data, abuse Accessibility Services, and support real time remote control, screen monitoring, file handling, audio recording, and command execution.
For defenders, the case shows how Android threats are moving toward reusable malware frameworks that separate delivery, deception, and monetization, allowing one campaign to shift quickly between banking theft, espionage style access, and silent mining without rebuilding the whole toolset.
Users can reduce risk by installing apps only from trusted stores, avoiding links received by SMS, email, or social media, checking permissions before install, keeping Android updated, using MFA for banking apps, and reporting suspicious financial activity quickly if compromise is suspected.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use MiningDropper to Deliver Infostealers, RATs, and Banking Malware on Android appeared first on Cyber Security News.
