A new Android malware named BeatBanker can hijack devices and tricks users into installing it by posing as a Starlink app on websites masquerading as the official Google Play Store.

The malware combines banking trojan functions with Monero mining, and can steal credentials, as well as tamper with cryptocurrency transactions.

Kaspersky researchers discovered BeatBanker in campaigns targeting users in Brazil. They also found that the most recent version of the malware deploys the commodity Android remote access trojan called BTMOB RAT, instead of the banking module.

BTMOB RAT provides operators with full device control, keylogging, screen recording, camera access, GPS tracking, and credential-capture capabilities.

Persistence via MP3

BeatBanker is distributed as an APK file that uses native libraries to decrypt and load hidden DEX code directly into memory, for evasion.

Before launching, it performs environment checks to ensure it’s not being analyzed. If passed, it displays a fake Play Store update screen to trick the victims into granting it permissions to install additional payloads.

To avoid triggering any alarms, BeatBanker delays malicious operations for a period after its installation.

According to Kaspersky, the malware has an unusual method to maintain persistence, which consists of continuously playing a nearly inaudible 5-second recording of Chinese speech from an MP3 file named output8.mp3.

“The KeepAliveServiceMediaPlayback component ensures continuous operation by initiating uninterrupted playback via MediaPlayer,” Kaspersky explains in a report today.

“It keeps the service active in the foreground using a notification and loads a small, continuous audio file. This constant activity prevents the system from suspending or terminating the process due to inactivity.”

Stealthy cryptocurrency mining

BeatBanker uses a modified XMRig miner version 6.17.0, compiled for ARM devices, to mine Monero on Android devices. XMRig connects to attacker-controlled mining pools using encrypted TLS connections, and falls back to a proxy if the primary address fails.

The miner can be dynamically started or stopped based on device conditions, which the operators closely monitor to ensure optimal operation and maintain stealth.

Using Firebase Cloud Messaging (FCM), the malware continuously sends the command-and-control (C2) server information about the device’s battery level and temperature, charging status, usage activity, and whether it has overheated.

By stopping mining when the device is in use and by limiting its physical impact, the malware can remain hidden for a longer period, mining for cryptocurrency when conditions allow it.

While Kaspersky observed all BeatBanker infections in Brazil, the malware could expand to other countries if proven effective, so vigilance and good security practices are recommended.

Android users shouldn’t side-load APKs from outside the official Google Play store unless they trust the publisher/distributor, should review granted permissions for risky ones that aren’t relevant to the app’s functionality, and perform regular Play Protect scans.