Cyble analyzes a surge in an ongoing campaign to deliver MiningDropper — a modular Android malware framework - at scale.

Cyble's publication is a resource for cybersecurity professionals and businesses seeking to stay ahead of evolving cyber threats. Through detailed analysis of threat intelligence, cybersecurity trends, and real-world cyber incidents, Cyble provides  insights into emerging threats, cyber attack tactics, and risk mitigation strategies. Readers can learn about threat detection methodologies, vulnerability assessment techniques, incident response protocols, and compliance standards to enhance their cybersecurity posture. Additionally, Cyble offers expert commentary, best practices, and actionable recommendations to help organizations protect their digital assets, safeguard sensitive data, and maintain business continuity in the face of cyber threats.

Cyble

Cyble Research and Intelligence Labs has identified a surge in MiningDropper, a modular Android malware delivery framework also known as BeatBanker. It uses a multi-stage architecture combining XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques to evade detection. The framework initially deploys a cryptocurrency miner before transitioning to a user-defined payload such as an infostealer or BTMOB RAT. Two active campaigns were identified: one targeting Indian users via phishing sites impersonating RTO services, banks, and telecom providers; another distributing BTMOB RAT across Europe, LATAM, and Asia. Over 1,500 samples were found in the wild, with more than 50% showing minimal antivirus detection. BTMOB RAT enables credential theft, keylogging, accessibility service abuse, and real-time remote control via WebSocket C2. The modular design allows threat actors to swap final payloads with only configuration changes, enabling rapid campaign scaling.

MiningDropper: A Global Android Malware Campaign