A new Android malware named BeatBanker can hijack devices and targets users in Brazil, combining banking trojan functions with Monero mining, a technical analysis by Kaspersky reported.
KEY FACTS
- Incident BeatBanker combines banking trojan functions with a Monero miner
- Targets Campaign activity observed in Brazil
- Delivery Distributed as an APK posing as a Starlink app on fake Play Store sites
- Persistence Keeps running by looping a nearly inaudible 5 second MP3 file named output8.mp3
The malware is delivered as an APK that uses native libraries to decrypt and load hidden DEX code directly into memory and performs environment checks before launching. It displays a fake Play Store update screen that asks victims to grant permissions to install additional payloads and delays malicious activity after installation to avoid detection.
The latest variant deploys the BTMOB RAT, which gives operators full device access including keylogging, screen recording, camera control, GPS tracking and credential capture. The malware can interfere with cryptocurrency transactions while also running a miner.
For persistence the app continuously plays a nearly inaudible 5 second Chinese audio file named output8.mp3 using MediaPlayer in a foreground service. Continuous playback prevents the system from suspending or terminating the process.
BeatBanker includes a modified XMRig 6.17.0 compiled for ARM to mine Monero. The miner connects to attacker controlled pools over TLS and can use a proxy fallback. It starts or stops mining based on device conditions and reports battery and temperature data and usage status to command infrastructure to remain stealthy.
All infections documented in the analysis were in Brazil. Android users should avoid side loading APKs from outside the official store unless they trust the publisher, review granted permissions for unnecessary risks and run regular Play Protect scans.
WHY IT MATTERS
BeatBanker pairs credential theft and remote access capabilities with hidden cryptocurrency mining and persistence techniques that can drain devices and expose user data. Users and administrators should limit side loading and monitor devices for unusual battery or performance issues.