A newly identified Android malware, known as BeatBanker, has emerged as a significant threat, cleverly disguising itself as a Starlink application on websites that mimic the official Google Play Store. This malware is not just a simple nuisance; it combines the functionalities of a banking trojan with Monero mining capabilities, allowing it to steal sensitive credentials and manipulate cryptocurrency transactions.
Researchers at Kaspersky have traced the origins of BeatBanker to campaigns primarily targeting users in Brazil. Notably, the latest iteration of this malware has shifted tactics by deploying the commodity Android remote access trojan, BTMOB RAT, in place of its banking module. This transition grants operators extensive control over infected devices, enabling them to conduct keylogging, screen recording, camera access, GPS tracking, and credential capture.
Persistence via MP3
BeatBanker is distributed as an APK file that utilizes native libraries to decrypt and load hidden DEX code directly into memory, enhancing its evasion tactics. Before it activates, the malware conducts environment checks to ensure it is not under analysis. Once these checks are cleared, it presents a deceptive Play Store update screen, enticing victims into granting permissions for additional payload installations.
Source: Kaspersky
To minimize detection, BeatBanker cleverly delays its malicious operations following installation. Kaspersky’s findings reveal an unusual persistence method: the malware continuously plays a nearly inaudible 5-second recording of Chinese speech from an MP3 file named output8.mp3. This tactic, facilitated by the KeepAliveServiceMediaPlayback component, ensures ongoing operation by maintaining uninterrupted playback via MediaPlayer. This constant activity keeps the service active in the foreground, preventing the system from suspending or terminating the process due to inactivity.
Stealthy cryptocurrency mining
In addition to its banking capabilities, BeatBanker employs a modified version of the XMRig miner (version 6.17.0), specifically compiled for ARM devices, to mine Monero on Android platforms. The miner connects to attacker-controlled mining pools through encrypted TLS connections and can switch to a proxy if the primary address becomes unavailable.
Source: Kaspersky
This mining operation can be dynamically started or halted based on the device’s conditions, which the operators monitor closely to ensure optimal performance while maintaining stealth. Utilizing Firebase Cloud Messaging (FCM), BeatBanker continuously relays information to its command-and-control (C2) server regarding the device’s battery level, temperature, charging status, usage activity, and overheating incidents.
By pausing mining activities when the device is in use and minimizing its physical impact, the malware can remain undetected for extended periods, capitalizing on favorable conditions to mine cryptocurrency. While Kaspersky has only observed BeatBanker infections in Brazil thus far, the potential for expansion into other regions remains a concern. Therefore, users are advised to exercise vigilance and adhere to sound security practices.
Android users are strongly encouraged to avoid side-loading APKs from sources outside the official Google Play Store unless they have complete trust in the publisher or distributor. Additionally, reviewing permissions granted to apps—especially those that seem excessive for their functionality—and conducting regular Play Protect scans can significantly enhance security against such threats.
