U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

BeatBanker malware targets Android users with banking Trojan and crypto miner

BeatBanker Android malware spreads through fake Starlink apps on websites imitating Google Play Store, hijacking devices, stealing credentials, and mining crypto. A new Android malware called BeatBanker spreads through fake Starlink apps distributed on websites posing as the Google Play Store. Once installed, it hijacks devices, steals login credentials, tampers with cryptocurrency transactions, and secretly […]

BeatBanker Android malware

BeatBanker Android malware spreads through fake Starlink apps on websites imitating Google Play Store, hijacking devices, stealing credentials, and mining crypto.

A new Android malware called BeatBanker spreads through fake Starlink apps distributed on websites posing as the Google Play Store. Once installed, it hijacks devices, steals login credentials, tampers with cryptocurrency transactions, and secretly mines Monero, combining banking trojan capabilities with crypto-mining.

The campaign mainly targets users in Brazil, spreading through phishing pages and sometimes via WhatsApp, allowing attackers to maintain long-term surveillance and remote control of compromised phones.

In newer attacks, operators replaced the banker component with a RAT and maintain persistence while communicating with mining pools.

The campaign starts with a phishing site that mimics the Google Play Store and distributes a fake “INSS Reembolso” app.

The malware impersonates the official service of Instituto Nacional do Seguro Social, tricking users into installing a trojanized APK disguised as a trusted government app.

“At various stages of the attack, BeatBanker disguises itself as a legitimate application on the Google Play Store and as the Play Store itself.” states the report published by Kaspersky.

The packed APK uses a native library to decrypt and load hidden malware directly in memory, helping it evade mobile antivirus detection. It also checks device details and blocks execution in analysis environments. The app then shows a fake update page resembling the Google Play Store to trick victims into installing additional malicious payloads and maintain persistence.

After victims tap Update on a fake Google Play Store screen, the malware downloads a cryptominer based on XMRig and connects to attacker-controlled mining pools. It uses Firebase Cloud Messaging as a as its command-and-control channel. Each message triggers checks on battery level, temperature, installation date, and user activity, allowing attackers to start or stop the hidden crypto miner and keep infected devices responsive to remote commands while monitoring key device conditions.

BeatBanker maintains persistence by running a foreground service that plays a silent audio loop to avoid shutdown. It also installs a banking trojan that abuses accessibility permissions to control the device, monitor browsers, and target crypto apps such as Binance and Trust Wallet.

“BeatBanker compromises the machine with a cryptocurrency miner and introduces another malicious APK that acts as a banking Trojan. This Trojan uses previously obtained permission to install an additional APK called INSS Reebolso, which is associated with the package com.destination.cosmetics.” continues the report.

When users attempt Tether transfers, the malware overlays fake screens and silently replaces the destination wallet address with one controlled by the attackers.

Kaspersky detected new BeatBanker samples spreading through a fake Starlink app. The malware keeps earlier persistence tricks such as looped audio and fixed notifications and still deploys a crypto miner. Instead of a banking trojan, however, it now installs BTMOB RAT, a highly obfuscated remote access tool.

BTMOB, linked to malware families like CraxsRAT and CypherRAT, operates as Malware-as-a-Service and provides full control over infected devices. It can grant permissions automatically, run persistently in the background, hide notifications, capture screen-lock credentials, log keystrokes, track GPS location, and access cameras.

“BeatBanker is an excellent example of how mobile threats are becoming more sophisticated and multi-layered. Initially focused in Brazil, this Trojan operates a dual campaign, acting as a Monero cryptocurrency miner, discreetly draining your device’s battery life while also stealing banking credentials and tampering with cryptocurrency transactions.” concludes the report that includes Indicators of Compromise (IoCs). “Moreover, the most recent version goes even further, substituting the banking module with a full-fledged BTMOB RAT.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BeatBanker Android malware)