MiningDropper is a dangerous Android malware framework that simultaneously advises cryptocurrency mining, data theft, RATs and the deployment of banking Trojans. According to Cybles information this malware is rapidly spreading in India Europe Latin America and Asia using the Lumolight app. In this article learn about its attack method technical structure and important tips to keep your Android safe.
What Is MiningDropper and Why Is It Different?
When we talk about Android malware we often think of a simple virus designed to do a single task but MiningDropper completely defies this notion. Mahireen from Cyble Research and Intelligence Labs (CRIL) recently uncovered an extremely dangerous malware framework that can implant not just one but multiple malicious payloads into Android devices at random.
It is a modular platform that supports a variety of unique payloads including cryptocurrency miners infostealers, Remote Access Trojans (RATs) and banking malware. The biggest feature of this malware is that it works like a framework, not like a typical virus.
This means that hackers can install different types of malicious tools within it as per their wish and can carry out a new type of attack every time, without having to rewrite the entire system. Over 1,500 MiningDropper samples were detected within a month with over 50% of them evading antivirus detection demonstrating the depth and scope of this threat. This is why it is considered a very serious and rapidly spreading threat in the world of cybersecurity.
How Lumolight Became a Dangerous App Trap
A recent variant of MiningDropper used a trojanized copy of an open-source flashlight application called Lumolight, which attackers weaponized and deployed through phishing links, social media, and fake websites. This is extremely alarming because Lumolight was a popular and reliable application, but hackers modified its code and turned it into a dangerous weapon.
When a user installs this fake app, everything appears normal, but behind the scenes, a terrorist chain begins. Once installed, this malicious application triggers a native library called librequisitionerastomous.so and starts the execution chain. This native layer decrypts XOR-obfuscated strings at runtime and checks whether the app is running on an emulator or in a rooted environment.
If such a situation is found, the malware stops its operation to avoid analysis by security researchers. Otherwise it proceeds further and loads the first stage payload by decrypting the apps assets. This anti-analysis technique makes it extremely difficult for security experts and is the reason why such a large number of samples have escaped the attention of antivirus engines.
Three Stage Attack How MiningDropper Works
In line with CRIL logic MiningDropper uses a multi-stage payload delivery architecture that includes XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading and anti-emulation techniques.
These layers together delay analysis and virtually eliminate detection by traditional antivirus solutions. In the first stage, native code decrypts an embedded asset using a hardcoded XOR key and creates a DEX file that is dynamically loaded via the DexClassLoader and executes a bootstrap component.
In the second stage, this bootstrap loader uses AES encryption, the key of which is created from the SHA-1 hash of the file name and making static analysis extremely difficult as there is no static key that can be seen in advance.
A fake Google Play update interface is also presented at this stage which is a very clever social engineering trick and is used to keep the users confidence thus making the user think that their phone is getting an important update while in reality the malware continues its work.
In the third and final stage the malware extracts a ZIP archive containing malicious DEX files and native libraries and then acts as a split APK installer to install the final payload as per the configuration. This entire architecture is so complex and intelligently designed that royalty-grade antivirus software is proving to be a complete failure in detecting it.
India-Targeted Infostealer Using RTO and Bank Attracts
CRIL has identified two major campaign clusters using MiningDropper, and the first of these campaigns specifically targets Indian users. This campaign deploys malicious APK files imitating Regional Transport Office (RTO) services, banks telecom providers and popular apps.
In October 2025 an RTO-themed campaign deployed fully crafted malicious APK files that deployed cloaked infostealers to extort money and steal personal data. This attack is even more dangerous because people in India tend to trust messages and apps purporting to be from government agencies.
When a user believes the message or app is from the Regional Transport Office or a trusted bank, they install it without thinking. From there the process of stealing personal information, banking credentials and other personal data begins.
The job of Infostealer is to secretly send all the login passwords, bank account details OTP messages, and other important information present in the phone to the hackers ervers without the user ever knowing. This campaign is a clear example of how cleverly hackers exploit the trust of common people and hence awareness is very important.
BTMOB RAT Global Cyber Threat Across Regions
The second campaign spreads MiningDropper in Europe, Latin America and Asia with a final payload called BTMOB RAT, which disguises itself as streaming, productivity and utility apps. BTMOB RAT first appeared in February 2024 as a variant of the SpySolr malware and is an extremely powerful Android Trojan that gives hackers complete control over the infected device.
This Trojan supports credential theft real-time remote control, device takeover and financial fraud operations, meaning through it the hacker can view your phone screen live, access your files, record audio and execute arbitrary commands.
The most troubling thing is that before when BTMOB RAT was deployed without obfuscation, many antivirus engines could catch it, but after combining with MiningDropper and its detection rate has dropped to only one to three engines which further increases the dangerousness of this combination.
This malware uses WebSocket-based communication which maintains a persistent and encrypted connection between hackers and the infected device. Apart from this, this malware misuses Android Accessibility Services to gain complete control over infected devices and tries to simulate user interactions and ask for extra permissions which means it can grant permissions automatically without the user clicking anything.
Why Antivirus Fails Against Solving Malware
MiningDroppers architecture combination of native obfuscation, filename-derived AES keys staged DEX loading, and social-engineering overlays significantly reduces static detection and makes it possible to launch large-scale attacks against Android users.
Previously when malware was created in a simple way, antivirus engines would memorize its unique identity and block it instantly the next time, but MiningDropper breaks this entire strategy. Each sample is slightly different, its internal file names generate AES keys the native layer undergoes XOR obfuscation, and the entire execution chain is so complex that automated analysis tools are fooled.
CRILs argument also revealed that this framework allows a threat actor to reuse the same distribution and installation framework across hundreds of samples while adapting the final payload to operational needs, meaning the infrastructure can be built once and used repeatedly for different attacks on different targets.
This malware-as-a-framework model is a completely new and significant challenge for the world of cybersecurity because traditional signature-based detection is not enough to counter it behavioral analysis and advanced threat intelligence are required.
Malware as-a-Framework The Future of Mobile Cyber Threats
MiningDropper has proven that mobile malware is no longer just a simple threat, but is evolving into an entire ecosystem where hackers have created a factory that can create a variety of attacks based on demand.
By separating the loader from the final payload and driving behavior through configuration MiningDropper acts as a malware-as-a-framework allowing threat actors to swap in new RATs or banking Trojans without rewriting the delivery chain.
This shift is truly devastating. Previously malware was created for a specific purpose and then discarded but now hackers have developed a system that can be used repeatedly each time targeting a new victim in a new way.
This modularity has made it increasingly important for ordinary users to understand that if an unknown app is secretly mining cryptocurrency on their phone its not just a battery drain it could be part of a much larger and deeper attack. Even a simple minor infection can be a harbinger of a highly invasive and harmful infection, so never ignore even the slightest suspicious activity as it could be a harbinger of a bigger attack.
How to Keep Your Android Safe
With all this being said it becomes very important that common Android users become serious about their digital security because it is possible to avoid threats like MiningDropper only when the user himself is aware and alert.
First and foremost, download any APK file only from Google Play Store and never install APK from any WhatsApp group, social media link or unknown website, no matter how important it may seem. Don’t root your phone because the MiningDropper particularly targets rooted devices and malware has much more freedom to operate on rooted phones.
Carefully check the permissions granted to your apps and especially be very careful about the Accessibility Services permission, as this is the permission that this malware misuses the most. Defenders also need to monitor suspicious sideloaded APKs enforce Mobile Device Management (MDM) controls where possible and leverage behavioral detection to catch modular loaders like MiningDropper.
If your phone is overheating for no apparent reason, the battery is draining quickly or data usage is suddenly out and it could be a sign of cryptocurrency mining or other malware. Always keep your Android updated with the latest security patches and install any relevant mobile security solution that supports behavioral analysis because signature-based antivirus alone is no longer enough.
