MiningDropper Android Framework Delivers Infostealers, RATs, and Banking Malware
Researchers reported a large-scale Android malware campaign built around MiningDropper, a modular multi-stage framework used to distribute cryptocurrency miners alongside more dangerous payloads including infostealers, banking malware, and remote access trojans. The operation used phishing pages, social media links, and fraudulent websites to trick users into installing malicious APKs disguised as legitimate apps, and was linked to campaigns targeting users in India, Europe, Latin America, and Asia. Investigators observed more than 1,500 samples in a month, with many showing very low antivirus detection, indicating broad scale and effective evasion.
Technical analysis showed the infection chain began with a trojanized version of the open-source LumoLight Android project and progressed through staged loaders using XOR-obfuscated native code, AES-encrypted payloads, dynamic DEX loading, split-APK reconstruction, and anti-emulation checks. One analyzed sample, distributed as Free Secure – Annulation.apk, displayed a fake Google Play update screen before activating a miner path or installing a final payload such as BTMOB RAT. The delivered malware enabled credential theft, keylogging, Accessibility abuse, remote device control, audio recording, file management, and financial fraud, underscoring MiningDropper’s role as a reusable malware delivery framework rather than a simple crypto-mining dropper.
Timeline
Apr 15, 2026
Cyble publishes technical analysis of the MiningDropper framework
Cyble Research and Intelligence Labs disclosed a detailed analysis of MiningDropper, describing it as a modular multi-stage Android malware delivery framework that combines cryptocurrency mining with delivery of infostealers, RATs, and banking malware. The report detailed its evasion methods, staged loader chain, trojanized LumoLight origin, and links to major campaign clusters including an infostealer campaign in India and a BTMOB RAT campaign across multiple regions.
Apr 15, 2026
Researchers observe over 1,500 MiningDropper samples in one month
Cyble researchers observed more than 1,500 MiningDropper-related Android samples over the course of a month, with many showing very low antivirus detection rates. The volume and low detection suggested broad operational scale and effective evasion by the operators.
Mar 15, 2026
MiningDropper campaigns distribute trojanized Android apps globally
Threat actors operated Android malware campaigns using the modular MiningDropper framework to spread malicious APKs disguised as legitimate apps via phishing pages, social media links, and fraudulent websites. The activity targeted users in India, Europe, Latin America, and Asia, including lures themed around RTO services, banks, telecom providers, popular apps, and fraudulent sites delivering BTMOB RAT.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
BeatBanker Android Malware Campaign Impersonating Starlink and Government Apps
**Kaspersky** reported a new Android malware campaign dubbed **BeatBanker** targeting users in Brazil, distributed via phishing sites that closely mimic the *Google Play Store* and lure victims into installing trojanized APKs posing as legitimate apps such as **Starlink** and the Brazilian government services app **INSS Reembolso**. The infection chain is staged to reduce suspicion: an initial decoy app presents a fake in-app “update” flow that prompts users to grant permission to install additional apps/modules, after which the malware pulls down further payloads and requests expanded privileges. Technical reporting indicates BeatBanker blends **banking trojan** capabilities with **cryptomining** (including a modified *XMRig*), and newer variants may deploy the commodity Android RAT **BTMOB** in place of the banking module, enabling broad device takeover (e.g., keylogging, screen recording, camera access, GPS tracking, and credential capture). The malware uses evasion techniques such as decrypting and loading hidden DEX code in-memory, performing anti-analysis environment checks, delaying malicious actions post-install, and maintaining persistence by continuously playing a near-inaudible MP3 (`output8.mp3`) to keep a foreground service alive and reduce the likelihood of the process being suspended by Android power management.
1 months ago
Four Android Banking Trojans Target 800+ Apps With MFA-Bypassing Overlays
Zimperium zLabs identified four Android malware families—**RecruitRat, SaferRat, Astrinox, and Massiv**—in active campaigns targeting users of more than **800 banking, cryptocurrency, and social media apps**. The malware is being spread through phishing sites, smishing messages, fake job application and streaming lures, counterfeit app-store pages, and bogus updates that trick victims into installing malicious APKs. Researchers said the campaigns rely heavily on overlay attacks, with fake login screens placed over legitimate apps to steal credentials; **RecruitRat** alone reportedly includes more than **700** fraudulent login pages. Once installed, the trojans abuse Android features including **Accessibility Services**, the **Session Installation API**, **MediaProjection**, overlays, and **WebView** to gain persistence, intercept SMS and one-time passwords, log keystrokes, enumerate apps, steal contacts, freeze screens, stream displays, and remotely control infected devices. The malware also uses anti-analysis techniques such as APK tampering, encrypted strings, reflection, dynamic DEX loading, and environment-aware execution, while command-and-control traffic is sent over HTTPS or WebSockets, with RecruitRat additionally using **RC4** encryption. Researchers warned the activity creates enterprise risk because infected employee devices can enable account takeover, bypass MFA, and expose corporate resources.
1 weeks ago
Malware Campaigns Using Fake Installers and Multi-Stage Loaders to Steal Credentials and Enable Remote Control
Multiple active malware campaigns are using **trojanized installers** and social engineering—rather than software vulnerabilities—to gain initial access and then deploy credential theft or remote-control capabilities. Intel 471 reported a new Android banking trojan dubbed **FvncBot** targeting Polish mobile banking users by impersonating an *mBank* “security” app; the dropper prompts installation of an additional “Play” component and then abuses **Android Accessibility Services** for persistence and control, enabling **keylogging**, **screen capture**, and hidden **VNC-style remote interaction** to facilitate fraudulent transactions. Separately, Cyderes described an ongoing, large-scale piracy-channel campaign where cracked game installers hide behind a legitimate-looking **Ren’Py** launcher tracked as **RenEngine**, which decrypts and launches subsequent stages and introduces **HijackLoader** via techniques including **DLL side-loading** and module stomping; observed final payloads include **ACR Stealer** (and in some cases **Vidar**) to exfiltrate browser credentials, cookies, and crypto wallet data. Cybereason detailed a different installer-themed operation in Chinese-speaking communities delivering **ValleyRat/Winos 4.0** attributed to **Silver Fox APT**, notable for using the rare **“PoolParty Variant 7”** process injection (abusing Windows I/O completion ports and `ZwSetIoCompletion()` after duplicating a handle from `Explorer.exe`) plus a strengthened watchdog mechanism via injection into `Explorer.exe` and `UserAccountBroker.exe` to maintain persistence.
1 months ago