BeatBanker Malware Targets Android Users with Banking Trojan and Crypto Miner

BeatBanker Malware Targets Android Users 🚨

A new Android malware called BeatBanker spreads through fake Starlink apps distributed on websites posing as the Google Play Store. Once installed, it hijacks devices, steals login credentials, tampers with cryptocurrency transactions, and secretly mines Monero, combining banking trojan capabilities with crypto-mining. The campaign mainly targets users in Brazil, spreading through phishing pages and sometimes via WhatsApp.

The campaign starts with a phishing site that mimics the Google Play Store and distributes a fake “INSS Reembolso” app, impersonating the official service of Instituto Nacional do Seguro Social. “At various stages of the attack, BeatBanker disguises itself as a legitimate application on the Google Play Store and as the Play Store itself,” states the report published by Kaspersky.

The packed APK uses a native library to decrypt and load hidden malware directly in memory, helping it evade mobile antivirus detection. It also checks device details and blocks execution in analysis environments. After victims tap Update on a fake Google Play Store screen, the malware downloads a cryptominer based on XMRig and connects to attacker-controlled mining pools. It uses Firebase Cloud Messaging as its command-and-control channel. BeatBanker maintains persistence by running a foreground service that plays a silent audio loop to avoid shutdown. It also installs a banking trojan that abuses accessibility permissions to control the device, monitor browsers, and target crypto apps such as Binance and Trust Wallet. When users attempt Tether transfers, the malware overlays fake screens and silently replaces the destination wallet address with one controlled by the attackers.

Kaspersky detected new BeatBanker samples spreading through a fake Starlink app. The malware keeps earlier persistence tricks such as looped audio and fixed notifications and still deploys a crypto miner. Instead of a banking trojan, however, it now installs BTMOB RAT, a highly obfuscated remote access tool. BTMOB, linked to malware families like CraxsRAT and CypherRAT, operates as Malware-as-a-Service and provides full control over infected devices. It can grant permissions automatically, run persistently in the background, hide notifications, capture screen-lock credentials, log keystrokes, track GPS location, and access cameras.

“BeatBanker is an excellent example of how mobile threats are becoming more sophisticated and multi-layered. Initially focused in Brazil, this Trojan operates a dual campaign, acting as a Monero cryptocurrency miner, discreetly draining your device’s battery life while also stealing banking credentials and tampering with cryptocurrency transactions,” concludes the report. “Moreover, the most recent version goes even further, substituting the banking module with a full-fledged BTMOB RAT.”

For more details, check out the full article here: Read full article