top of page
Search

BeatBanker: The Multifaceted Android Malware

  • Mar 11
  • 2 min read

Key Findings


  • BeatBanker is an Android malware that combines banking trojan capabilities with cryptocurrency mining.

  • It spreads through fake Starlink apps distributed on websites imitating the Google Play Store.

  • Once installed, BeatBanker hijacks devices, steals login credentials, and tampers with cryptocurrency transactions.

  • The malware uses a silent audio loop to maintain persistence and avoid being shut down by the system.

  • In newer versions, BeatBanker has replaced the banking trojan component with a remote access tool (RAT) called BTMOB, providing attackers with full control over infected devices.


Background


BeatBanker is a sophisticated Android malware that has been targeting users primarily in Brazil. The malware campaign initially focused on distributing a trojanized app impersonating a legitimate government service, but has since evolved to use fake Starlink apps as a delivery vector.


Delivery and Installation


  • BeatBanker spreads through phishing pages that mimic the Google Play Store and distribute a fake "INSS Reembolso" app.

  • The app disguises itself as a trusted government service, tricking users into installing a malicious APK.

  • The packed APK uses a native library to decrypt and load hidden malware directly into memory, helping it evade detection.

  • After installation, the app displays a fake Google Play Store update screen to trick victims into installing additional payloads.


Malicious Functionality


  • BeatBanker installs a cryptocurrency miner based on the XMRig mining software, connecting to attacker-controlled mining pools.

  • It uses Firebase Cloud Messaging as a command-and-control channel to monitor device conditions and control the miner.

  • The malware also includes a banking trojan component that abuses accessibility permissions to monitor browsers and target crypto apps like Binance and Trust Wallet.

  • When users attempt Tether transfers, the malware overlays fake screens and silently replaces the destination wallet address with one controlled by the attackers.


Persistence and Evolution


  • BeatBanker maintains persistence by running a foreground service that plays a silent audio loop, preventing the system from suspending or terminating the process.

  • In newer versions, the malware has replaced the banking trojan component with the BTMOB remote access tool (RAT), providing attackers with full control over infected devices, including the ability to capture screen-lock credentials, log keystrokes, track GPS location, and access cameras.


Conclusion


BeatBanker is a sophisticated Android malware that combines banking trojan capabilities with cryptocurrency mining, targeting users in Brazil. Its use of a silent audio loop to maintain persistence and the recent addition of a powerful RAT component demonstrate the evolving nature of mobile threats.


Sources


  • https://securityaffairs.com/189288/malware/beatbanker-malware-targets-android-users-with-banking-trojan-and-crypto-miner.html

  • https://hackread.com/beatbanker-android-trojan-silent-audio-loop-crypto/

  • https://securityonline.info/the-silent-rhythm-how-beatbanker-malware-uses-a-looping-audio-file-to-hijack-android-devices/

  • https://securelist.com/beatbanker-miner-and-banker/119121/

  • https://eromang.zataz.com/2026/03/10/new-beatbanker-android-malware-poses-as-starlink-app-to-hijack-devices/

  • https://www.bleepingcomputer.com/news/security/new-beatbanker-android-malware-poses-as-starlink-app-to-hijack-devices/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page