A sophisticated Android malware delivery framework that secretly mines cryptocurrency while simultaneously deploying infostealers, Remote Access Trojans (RATs), and banking malware across Asia, Europe, and Latin America.
With over 1,500 samples detected in the wild and more than 50% evading antivirus tools, this scalable malware-as-a-framework is actively reshaping the Android threat landscape.
MiningDropper Android Malware
MiningDropper, also tracked as BeatBanker, is a multi-stage Android dropper framework engineered for flexibility and stealth. Unlike traditional single-purpose mobile malware, it is designed as a modular platform: the same core framework can deliver cryptocurrency miners, infostealers, banking trojans, or full-featured RATs, depending on the threat actor’s configuration.
This adaptability enables large-scale campaign reuse without rebuilding the malware’s underlying architecture. The framework gains initial access through trojanized APKs, particularly a compromised version of the open-source Android project Lumolight distributed via phishing websites, smishing (SMS phishing), and social media platforms.
Once installed, it initiates a deeply layered infection chain designed to defeat automated analysis tools, sandbox environments, and static detection engines.
Multi-Stage Infection Chain
MiningDropper’s architecture is built around four progressive execution stages, each designed to unpack the next while minimizing exposure:
- Stage 1 – Native Bootstrapper: The malicious app loads the native library
librequisitionerastomous.so, which decrypts XOR-obfuscated strings at runtime. - This stage also implements anti-emulation checks, inspecting device model, system architecture, and platform details. If an emulator or rooted environment is detected, execution terminates immediately.
- Stage 2 – First-Stage DEX Payload: The native library decrypts an encrypted asset using a hardcoded XOR key and dynamically loads it via
DexClassLoader. - This bootstrap loader then retrieves a second-stage payload encrypted with AES, where the key is derived from the first 16 bytes of the SHA-1 hash of the asset filename, a clever technique to avoid static key extraction.
- Stage 3 – Social Engineering Layer: The second-stage DEX presents a fake Google Play update screen to deceive users while silently decrypting further payloads.
- This stage determines whether the infection flow follows the “miner path” or the “user-defined payload path,” guided by configuration files also encrypted using filename-derived AES keys.
- Stage 4 – Final Payload Installation: The third-stage payload reconstructs a split APK from multiple encrypted asset files and installs the final malware, either a standalone cryptocurrency miner or a full-featured malicious application such as BTMOB RAT.
Victims are lured into downloading malicious APKs that harvest sensitive financial and personal data. Identified distribution URLs include domains masquerading as legitimate banking apps and telecom services.
BTMOB RAT Campaign (Global): The second campaign spans Europe, Latin America, and Asia, distributing MiningDropper via fraudulent app stores. The final payload in this campaign is BTMOB RAT, first discovered in February 2024 as a variant of SpySolr malware.
Previously distributed without a packer and flagged by multiple AV engines, BTMOB RAT’s detection rate has dropped to as few as 1–3 antivirus detections since it was wrapped in MiningDropper.
BTMOB RAT
BTMOB RAT represents one of the most dangerous final payloads in MiningDropper’s arsenal. It abuses Android Accessibility Services to gain deep, persistent control of the device. Its capabilities include:
- WebView-based credential injection and keylogging for financial account takeover
- Real-time screen monitoring via WebSocket-based command-and-control (C2)
- Remote file management, audio recording, and arbitrary command execution
- Device unlocking and permission escalation by simulating user interactions
- Financial fraud facilitation through intercepted banking sessions
When BTMOB RAT was first distributed without obfuscation, it triggered multiple AV detections. Wrapped inside MiningDropper’s multi-stage framework, it now evades most mobile security tools entirely.
Scale and Detection Evasion
Telemetry analysis of over 1,500 MiningDropper samples reveals alarming evasion statistics. The largest cluster, approximately 668 samples, shows only 3 antivirus detections.
Over 50% of all identified samples exhibit minimal antivirus coverage, demonstrating the effectiveness of the framework’s layered obfuscation: XOR-based native string decryption, AES-encrypted payload staging with filename-derived key material, dynamic DEX loading, and sandbox/emulator termination.
This scale and reusability classify MiningDropper not merely as an Android dropper, but as a malware-as-a-framework, a scalable delivery engine where only configuration files and encrypted assets change between campaigns, reported by Cyble.
Recommended Defenses
Organizations and users should take these immediate precautions:
- Install apps exclusively from the Google Play Store, never from SMS links, social media, or third-party APK sites
- Verify app permissions carefully before installation, especially Accessibility Services requests
- Enable Multi-Factor Authentication (MFA) on all banking and financial applications
- Keep Android OS and apps fully updated to patch vulnerabilities exploited by droppers
- Deploy mobile endpoint detection solutions capable of behavioral analysis, not just signature-based scanning
MiningDropper MITRE ATT&CK Mapping
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access (TA0027) | Phishing (T1660) | Distribution via phishing and smishing |
| Execution (TA0041) | Native API (T1575) | Native code decrypts and executes payloads |
| Defense Evasion (TA0030) | Obfuscated Files (T1406) | XOR + AES encrypted assets |
| Defense Evasion (TA0030) | Sandbox Evasion (T1633) | Anti-emulation environment checks |
| Discovery (TA0032) | System Info Discovery (T1426) | Device fingerprinting for environment detection |
FAQ
Q1: What is MiningDropper, and why is it dangerous?
MiningDropper is a modular Android malware framework that covertly mines cryptocurrency while delivering secondary payload, including infostealers, RATs, and banking trojans, through a multi-stage, heavily obfuscated infection chain, making it highly evasive and versatile.
Q2: How does MiningDropper evade antivirus detection?
It uses a combination of XOR-based native string obfuscation, AES-encrypted payload staging with filename-derived keys, dynamic DEX loading, and active anti-emulation checks that terminate execution in sandboxed analysis environments.
Q3: What is BTMOB RAT, and what can it do to an infected device?
BTMOB RAT is a full-featured Android Remote Access Trojan first identified in February 2024 as a SpySolr variant capable of real-time screen control, keylogging, credential theft, audio recording, and financial fraud via WebSocket-based C2 communication.
Site: http://thecybrdef.com
About the Author
