An escalating Android malware campaign is leveraging a framework known as MiningDropper to deploy highly dangerous threats under the guise of legitimate apps. This malicious activity is designed to infect devices with infostealers, remote access trojans (RATs), banking malware, or even enable cryptocurrency mining.
Deceptive Distribution Tactics
This campaign targets users through phishing pages, misleading social media links, and fraudulent websites that imitate reputable services, including transportation sites, banking platforms, telecom services, and popular mobile applications. Such a broad approach allows attackers multiple avenues to deceive individuals into downloading harmful APK files, initiating the concealed payload chain.
Research by Cyble has identified a significant increase in MiningDropper activities, connecting it to various campaigns impacting regions such as India, Europe, Latin America, and Asia. Specifically, one cluster focused on Indian users with infostealer tactics, while another disseminated the BTMOB RAT to broader regional targets via counterfeit app download sites.
Complex Infection Mechanism
The threat posed by MiningDropper is substantial due to its nature as a reusable framework, enabling threat actors to switch final payloads as necessary. Cyble’s data shows over 1,500 active samples in the last month, with many exhibiting low detection rates by antivirus software.
The campaign’s complexity lies in its multi-layered architecture, combining native code, encrypted assets, dynamic DEX loading, and anti-emulation checks to hinder analysis. Each phase of the attack chain is unveiled only after preceding checks are cleared, limiting the visibility to static scanners.
Technical Breakdown of the Attack Chain
The attack initiates with a compromised version of the open-source Android project LumoLight, using the native library ‘librequisitionerastomous.so’ to launch malicious actions. Inside this library, strings are concealed using XOR obfuscation, decrypted at runtime to evade detection.
The native components also assess platform specifics, system architecture, and device information to ascertain if they are operating in an emulator or rooted environment. If deemed suspicious, the malware ceases its activity, circumventing sandboxes and automated analysis.
Upon passing these checks, the library decrypts an asset named ‘x7bozjy2pg4ckfhn’ utilizing a hardcoded XOR key, producing the initial DEX payload, which is further executed with DexClassLoader. This leads to the second stage, often characterized by a fake Google Play update screen, masking the infection process as routine. Subsequent stages involve more file decryption and decision-making between mining and user-defined payload pathways, potentially resulting in BTMOB RAT installation.
Protective Measures and Future Outlook
For cybersecurity defenders, this case exemplifies the trend towards adaptable malware frameworks that decouple delivery, deception, and monetization, allowing campaigns to swiftly transition between theft, espionage, and silent mining without redesigning tools.
Users are advised to mitigate risks by downloading apps exclusively from trusted stores, avoiding links from SMS, emails, or social media, scrutinizing permissions before installation, maintaining updated Android systems, utilizing multi-factor authentication for banking apps, and promptly reporting suspicious activities if compromise is suspected.
Stay updated with our latest insights on Google News, LinkedIn, and X, and consider setting CSN as your preferred source on Google for instant updates.
