New BeatBanker Android malware poses as Starlink app to hijack devices
Source: Bleeping Computer
A new Android malware named BeatBanker can hijack devices and tricks users into installing it by posing as a Starlink app on websites masquerading as the official Google Play Store. The malware combines banking trojan functions with Monero mining, and can steal credentials, as well as tamper with cryptocurrency transactions.
Kaspersky researchers discovered BeatBanker in campaigns targeting users in Brazil. They also found that the most recent version of the malware deploys the commodity Android remote access trojan called BTMOB RAT, instead of the banking module. BTMOB RAT provides operators with full device control, keylogging, screen recording, camera access, GPS tracking, and credential‑capture capabilities.
Persistence via MP3
BeatBanker is distributed as an APK file that uses native libraries to decrypt and load hidden DEX code directly into memory, for evasion. Before launching, it performs environment checks to ensure it’s not being analyzed. If passed, it displays a fake Play Store update screen to trick the victims into granting it permissions to install additional payloads.
The fake update message
Source: Kaspersky
To avoid triggering any alarms, BeatBanker delays malicious operations for a period after its installation.
According to Kaspersky, the malware has an unusual method to maintain persistence, which consists of continuously playing a nearly inaudible 5‑second recording of Chinese speech from an MP3 file named output8.mp3.
“The KeepAliveServiceMediaPlayback component ensures continuous operation by initiating uninterrupted playback via MediaPlayer,” Kaspersky explains in a report today.
“It keeps the service active in the foreground using a notification and loads a small, continuous audio file. This constant activity prevents the system from suspending or terminating the process due to inactivity.”
Read the full report
Stealthy cryptocurrency mining
BeatBanker uses a modified XMRig miner (version 6.17.0), compiled for ARM devices, to mine Monero on Android devices. XMRig connects to attacker‑controlled mining pools using encrypted TLS connections, and falls back to a proxy if the primary address fails.
Miner deployment process
Source: Kaspersky
The miner can be dynamically started or stopped based on device conditions, which the operators closely monitor to ensure optimal operation and maintain stealth. Using Firebase Cloud Messaging (FCM), the malware continuously sends the command‑and‑control (C2) server information about the device’s battery level, temperature, charging status, usage activity, and whether it has overheated.
By stopping mining when the device is in use and by limiting its physical impact, the malware can remain hidden for a longer period, mining for cryptocurrency when conditions allow it.
While Kaspersky observed all BeatBanker infections in Brazil, the malware could expand to other countries if proven effective, so vigilance and good security practices are recommended.
Recommendations for Android users
- Avoid side‑loading APKs from outside the official Google Play Store unless you trust the publisher/distributor.
- Review granted permissions and revoke any that are not relevant to the app’s functionality.
- Perform regular Play Protect scans.