Threat Research

MiningDropper – A Global Modular Android Malware Campaign Operating at Scale

Cyble
MiningDropper – A Global Modular Android Malware Campaign Operating at Scale
CRIL observed a rapid surge in the distribution of MiningDropper, a modular Android dropper framework that initially deploys a cryptocurrency miner then can transition to deliver infostealers or BTMOB RAT via staged, configuration-driven payloads. The framework uses XOR-based native obfuscation, filename-derived AES decryption, dynamic DEX loading, and anti-emulation checks to maintain low antivirus detection across campaigns targeting India, LATAM, and Europe. #MiningDropper #BTMOB

Keypoints

  • MiningDropper is a multi-stage Android dropper framework that combines crypto-mining with the ability to deploy infostealers, RATs, and banking trojans.
  • The framework trojanizes the open-source LumoLight app and loads a native library (librequisitionerastomous.so) that performs XOR-based string deobfuscation and anti-emulation checks.
  • Payload staging uses filename-derived AES keys and dynamic DexClassLoader loading to decrypt and execute subsequent DEX payloads, complicating static analysis.
  • Campaigns observed include an India-focused infostealer campaign (phishing lures impersonating RTOs, banks, telcos) and a BTMOB RAT campaign affecting LATAM, Europe, and Asia.
  • Over 1,500+ MiningDropper samples were identified, with a majority showing very low AV detection (50%+ with minimal coverage), indicating effective evasion and rapid reuse.
  • Final payloads are configuration-driven and can reconstruct split APKs (e.g., BTMOB RAT) or install a standalone miner, enabling flexible monetization and scalable distribution.

MITRE Techniques

  • [T1660 ] Phishing – Used as the initial distribution vector to lure victims to malicious APKs (‘victims are lured to download malicious APK files via phishing websites or social media platforms’).
  • [T1575 ] Native API – Native library execution and decryption performed by the trojanized app (‘loads the native library “librequisitionerastomous.so.”’ and native code decrypts payloads).
  • [T1406 ] Obfuscated Files or Information – Multiple layers of obfuscation applied, including XOR string obfuscation and AES-encrypted assets (‘XOR-based string obfuscation in native code, AES-encrypted asset files’).
  • [T1633 ] Virtualization/Sandbox Evasion – Anti-emulation checks are performed to detect and abort execution on emulators or rooted environments (‘the application checks platform details, system architecture, and device model information to determine whether it is running on an emulator’).
  • [T1426 ] System Information Discovery – The dropper queries device information to decide execution flow and environment suitability (‘Dropper checks the device information to identify the running environment’).

Indicators of Compromise

  • [Domains/URLs ] Distribution and phishing sites – hxxps://free-secure[.]com/Free%20Secure%20-%20Annulation.apk, hxxps://cardcpp[.]online/imobile.apk, and 14 more domains observed distributing malicious APKs.
  • [File Hash ] Sample used for analysis – 58a94f889547db8b2327a62e03fb2cce3bda716278d645ee8094178ecda2e9e6 (SHA-256) associated with “Free Secure – Annulation.apk”.
  • [File Names / Assets ] Trojans, libraries, and staged payloads – librequisitionerastomous.so, x7bozjy2pg4ckfhn (asset), and other asset names such as jajmanpongids, bilbopseudomelanosis.

Read more: https://cyble.com/blog/miningdropper-global-modular-android-malware/