Security & Infrastructure Tools
New BeatBanker Android malware poses as Starlink app to hijack devices
BeatBanker is a new Android malware that masquerades as a Starlink app on fake Google Play Store sites, tricking users into installing it. The threat combines banking trojan functions with Monero mining and can steal credentials, tamper with crypto transactions, and provide full device control via the BTMOB RAT. It evades analysis by decrypting hidden code, displays a fake update screen to gain permissions, and maintains persistence by continuously playing an inaudible MP3 file. The malware uses a modified XMRig miner for ARM devices, sending device status via Firebase Cloud Messaging to manage mining activity stealthily. Kaspersky found infections in Brazil but warns that the threat could spread elsewhere, urging users to avoid sideloading APKs and review permissions carefully.
BeatBanker – a newly discovered Android malware – has been masquerading as a legitimate Starlink app on fake Google Play Store sites to trick users into installing it. The malicious package combines banking trojan capabilities with Monero mining, enabling attackers to steal credentials and tamper with cryptocurrency transactions.
Kaspersky researchers first identified BeatBanker in campaigns targeting Brazilian users. The latest version of the malware replaces its banking module with a commodity Android remote‑access trojan called BTMOB RAT. This RAT grants operators full device control: keylogging, screen recording, camera access, GPS tracking, and credential capture.
BeatBanker is delivered as an APK that employs native libraries to decrypt and load hidden DEX code directly into memory for evasion. Before launching, it performs environment checks to avoid analysis tools. If the checks pass, it displays a fake Play Store update screen, enticing victims to grant permissions for additional payloads. The malware then delays malicious operations for a short period after installation.
To maintain persistence, BeatBanker continuously plays an almost inaudible 5‑second MP3 file named output8.mp3 via the KeepAliveServiceMediaPlayback component. By keeping this audio playback active in the foreground with a notification, the process avoids being suspended or terminated by the system.
The cryptocurrency mining component uses a modified XMRig miner (version 6.17.0) compiled for ARM devices. It connects to attacker‑controlled mining pools over encrypted TLS and falls back to a proxy if the primary address fails. The miner can be started or stopped dynamically based on device conditions, allowing operators to monitor battery level, temperature, charging status, usage activity, and overheating through Firebase Cloud Messaging (FCM). By stopping mining when the device is in use and limiting its physical impact, BeatBanker remains stealthy for extended periods.
While all observed infections have been in Brazil, the malware could potentially spread worldwide if effective. Android users should avoid sideloading APKs from outside the official Google Play store unless they trust the publisher, review granted permissions for any that seem unrelated to the app’s functionality, and perform regular Play Protect scans to detect such threats.
This new threat underscores the importance of vigilance and robust security practices in protecting mobile devices against increasingly sophisticated malware.