Tool.Androlua
Tool.Androlua is a potentially dangerous Android framework/tool for developing Android applications using the Lua scripting language. According to the provided reporting, apps built with or based on this framework can request many permissions, and Lua scripts may be encrypted and only decrypted immediately before execution, which can hinder analysis and enable malicious use. The content characterizes certain versions as potentially dangerous rather than attributing a specific malware campaign, threat actor, or victim sector to the tool. No specific indicators of compromise are provided in the source content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Lua-based Android development framework variants flagged as riskware due to broad permissions and encrypted script execution that can conceal malicious behavior.
Lua-based Android development framework variants flagged as potentially dangerous due to broad permission requests and execution of encrypted Lua scripts that can perform malicious actions under granted permissions.
Potentially dangerous AndroLua framework variants; executes encrypted Lua scripts and often requests broad permissions, enabling malicious actions via scripts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.