Researchers have uncovered an Android malware framework dubbed the MiningDropper. Security researchers at Cyble Research and Intelligence Labs (CRIL) have identified a sharp increase in campaigns using MiningDropper, a modular platform capable of distributing multiple types of malicious payloads, including cryptocurrency miners, infostealers, Remote Access Trojans (RATs), and banking malware.   A notable aspect of this campaign is its abuse of the open-source Lumolight application, which has been repurposed as a trojanized entry point. 

A Modular Android Malware Framework at Scale

MiningDropper is not a conventional malware strain. Instead, it operates as a multi-stage delivery framework designed to evade detection and dynamically deploy payloads. Its architecture integrates XOR-based obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques. These layers collectively delay analysis and reduce the likelihood of detection by traditional antivirus solutions.  Over 1,500 MiningDropper samples have been observed in the wild within a single month, with more than 50% showing minimal antivirus detection. Notably, around 668 samples registered only three antivirus detections, indicating widespread distribution with low visibility. 

Lumolight as the Initial Infection Vector 

A recent variant of MiningDropper uses a trojanized version of Lumolight as its initial payload. Victims unknowingly install this compromised application through phishing links, fraudulent websites, or social media campaigns. Once installed, the malicious application triggers a native library, “librequisitionerastomous.so”, which begins the execution chain. This native layer decrypts XOR-obfuscated strings at runtime and checks whether the app is running in an emulator or rooted environment. If such conditions are detected, the malware halts execution to avoid analysis. Otherwise, it proceeds to decrypt and load the first-stage payload from the app’s assets. 

Multi-Stage Payload Delivery Mechanism 

[caption id="" align="aligncenter" width="909"] MiningDropper attack chain (Source: Cyble)[/caption] MiningDropper’s infection chain unfolds across multiple stages: 

• Initial Stage: The native code decrypts an embedded asset using a hardcoded XOR key, producing a DEX file. This file is dynamically loaded using DexClassLoader and executes a bootstrap component. 
• First Stage: The bootstrap loader decrypts a second-stage payload using AES encryption. The AES key is derived from the SHA-1 hash of the file name, making it harder for analysts to extract static keys. 
• Second Stage: This stage presents a fake Google Play update interface, a social engineering tactic designed to maintain user trust. Behind the scenes, it decrypts additional payloads and configuration files. The malware can operate in two modes: a cryptocurrency miner or a user-defined malicious payload. 

Configuration files such as “norweyanlinkediting” (miner path) and “udela” (user payload path) dictate the behavior. These configurations include parameters like remote control capabilities, payload splits, and subscription timelines. 

• Third Stage: The malware extracts a ZIP archive containing further DEX files and native libraries. Acting as a split-APK installer, it reconstructs and installs the final payload based on the configuration. 

Campaigns Targeting Multiple Regions 

CRIL identified two primary campaign clusters leveraging MiningDropper: 

• Infostealer Campaign (India): This campaign targets Indian users by impersonating trusted entities such as Regional Transport Office (RTO) services, banks, telecom providers, and popular apps. In October 2025, a campaign using RTO-themed lures distributed malicious APK files that ultimately deployed infostealers to harvest sensitive financial and personal data. 
• BTMOB RAT Campaign (Global): Another campaign distributes MiningDropper across Europe, Latin America, and Asia. In this case, the final payload is BTMOB RAT, a powerful Android trojan first identified in February 2024 as a variant of SpySolr malware. It supports credential theft, real-time remote control, device takeover, and financial fraud operations. 

Interestingly, while BTMOB RAT was initially distributed without obfuscation and detected by multiple antivirus engines, its integration with MiningDropper has reduced detection rates to as low as one to three engines. 

Final Payload Capabilities 

The final payload delivered by MiningDropper depends on the configuration: 

• Infostealers: Extract sensitive data such as login credentials and financial information.
• RATs (e.g., BTMOB RAT): Enable full device compromise, including screen monitoring, file access, audio recording, and command execution via WebSocket-based communication.
• Banking Trojans: Facilitate financial fraud through credential harvesting and transaction manipulation. 
• Cryptocurrency Miners: Utilize device resources for unauthorized mining operations.

The malware also abuses Android Accessibility Services to gain extensive control over infected devices, allowing it to simulate user interactions and grant additional permissions. 

A Scalable Malware-as-a-Framework Model 

MiningDropper demonstrates a shift toward malware frameworks that prioritize scalability and adaptability. Its ability to switch between payloads using configuration changes, without altering the core architecture, makes it highly reusable across campaigns. This modularity enables threat actors to rapidly expand operations while maintaining low detection rates.  MiningDropper is more than just another Android malware strain. By combining advanced obfuscation, multi-stage execution, and the exploitation of legitimate projects like Lumolight, it represents a threat model capable of sustaining large-scale, global campaigns.

On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America.

The Black Friday connection

Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity and often lax security awareness among users provides fertile ground for launching attacks. Gozi malware, a well-known banking Trojan, exploits this seasonal chaos to target unsuspecting users and financial institutions alike.

This year’s Black Friday activity was particularly concerning, with a notable increase in web-inject attacks. These sophisticated techniques compromised online banking sessions, enabling the theft of credentials, financial information and other sensitive data.

The campaign is not expected to stop there. With the subsequent year-end shopping rush, Gozi malware is poised to continue its onslaught. Cyber criminals are likely to capitalize on the desperation of last-minute shoppers seeking the best holiday deals, amplifying the malware’s reach and impact.

These ongoing attacks emphasize the need for vigilance and proactive security measures. Whether you’re a consumer enjoying the convenience of online shopping or a business managing increased transaction volumes, understanding the evolving tactics of cyber criminals is critical to staying ahead of the threat.

What is Gozi malware?

Gozi, also known as Ursnif and ISFB, is a modular banking Trojan that has been active since the mid-2000s. It is infamous for its ability to steal banking credentials, monitor user activity and execute advanced web-injects during online banking sessions. Over the years, it has evolved to include features like anti-debugging mechanisms and encrypted communication and is also used for targeted attacks on specific regions and financial institutions.

Observations from our system

During Black Friday, our telemetry revealed the following trends:

• Targeted campaigns: Gozi operators appeared to focus on North American banks, aligning their campaigns with the peak shopping hours.
• Increase in attack volume: The malware’s web-inject functionality was heavily used, indicating a rise in compromised banking sessions.

Why the surge?

The Black Friday spike in Gozi activity can be attributed to:

• Volume of transactions: The sheer number of financial transactions increases the probability of successful attacks.
• Weakened defenses: Many businesses prioritize frictionless user experience, uptime and sales during Black Friday, potentially delaying or weakening their security measures.
• Human behavior: Consumers are more likely to overlook suspicious activity when rushing to grab deals.

What we found

The provided script demonstrates a sophisticated web injection attack used to compromise online banking sessions. It dynamically injects malicious code into the legitimate banking page, allowing attackers to manipulate the session without the victim’s knowledge. The malicious script operates in the background to steal sensitive data, such as credentials, and is designed to evade detection by immediately removing itself from the page after execution. By blending with the legitimate page and erasing evidence, the attack becomes nearly invisible to both users and traditional security measures. This highlights the growing sophistication of web-inject attacks and underscores the need for advanced monitoring systems and robust security measures to detect and prevent such threats.

Figure 1: Sample of Gozi injection

From the screenshot below, it appears that the attacker left minimal evidence, likely attempting to test the mechanism and ensure everything is functioning correctly:

Figure 2: Attacker preparation

We believe the web-inject is still a work in progress, with potential future updates and enhancements to the code likely.

If you’d like to learn more about Gozi malware, you can find additional information here.

Final thoughts

As cyber criminals continue to exploit global events like Black Friday, staying vigilant is more crucial than ever. The resurgence of Gozi malware activity highlights the importance of proactive security measures for both businesses and individuals. While the current attacks are predominantly targeting North America, we suspect this campaign will soon expand to Europe, leveraging the holiday shopping season to further its impact.

While we enjoy the convenience of online shopping, it’s vital to stay aware of the ever-present cyber threats lurking in the digital landscape. By adopting robust security practices and remaining cautious, we can reduce the risks and protect ourselves against these sophisticated attacks. Cybersecurity is not just a technical challenge—it’s a shared responsibility.

How to avoid Gozi malware

Here are some recommendations to avoid Gozi malware and protect yourself from similar threats:

• Be wary of email links. Exercise caution when opening email attachments or clicking on links, especially if they come from unknown or suspicious sources. Be particularly vigilant for phishing emails that may attempt to trick you into downloading malware.
• Increase your password security. Create strong and unique passwords for all your online accounts, including cryptocurrency exchanges and wallets. Avoid using easily guessable information and consider using a reliable password manager to securely store and manage your passwords.
• Remain vigilant online. Pay attention to any unusual behavior or unexpected requests when accessing websites, especially financial or cryptocurrency-related platforms. If you encounter unexpected pop-ups, requests for additional personal information or changes in website appearance, it could be a sign of a web-inject attempting to deceive you.
• Stay informed about the latest cybersecurity threats and best practices. Familiarize yourself with common techniques used by cyber criminals, such as phishing scams and social engineering, to avoid falling victim to their tactics.

One of the best tools to detect Gozi malware and protect your organization is IBM Security Trusteer Pinpoint Detect. The tool uses artificial intelligence and machine learning to protect digital channels against account takeover and fraudulent transactions and detect user devices infected with high-risk malware. Learn more here.

IOC

/usbank/inj[.]php

/in/sella/sella[.]php

/in/paypal/p[.]php

/in/ebay/ebay[.]php

/in/poste/po[.]php

/in/ubibanca/ub[.]php

/in/amazon/a[.]php

/in/clienti.chebanca/ch[.]php

/in/credem/cr[.]php

frcorporateonline/inj[.]php

hsbcnet/inj[.]php

/lancher/in

The post Black Friday chaos: The return of Gozi malware appeared first on Security Intelligence.