Researchers discovered new Android malware capable of stealing banking credentials, tampering with cryptocurrency transactions and secretly mining digital currency on infected devices in Brazil.

The malware, dubbed BeatBanker by Russian cybersecurity firm Kaspersky, infects smartphones through fake applications that mimic legitimate services, including the Starlink satellite internet app and the Brazilian government portal INSS Reembolso. Both apps were available for download from a website masquerading as the official Google Play Store.

Once installed, the malware secretly mines the cryptocurrency Monero, draining the victim’s phone battery and processing power while also stealing banking credentials and manipulating cryptocurrency transactions, Kaspersky said in a report earlier this week.

The malware monitors factors such as battery temperature, battery level and user activity to determine when to start or stop the mining process, helping it remain undetected.

To maintain persistence on compromised devices, the malware uses an unusual technique: it continuously plays a nearly inaudible audio file so that the Android system does not terminate the application due to inactivity. Kaspersky noted that the audio file contains several Chinese words but did not attribute the campaign to a specific threat actor.

Beyond mining cryptocurrency, BeatBanker also deploys a banking trojan designed to manipulate digital asset transfers. When victims attempt to send USDT using apps such as Binance or Trust Wallet, the malware overlays the transaction screen with a realistic interface that replaces the intended destination wallet address with one controlled by the attackers.

Researchers also identified another variant of the campaign that uses a fake Starlink application as a lure. In that case, the malware delivers BTMOB, an Android remote-access trojan sold through a malware-as-a-service model.

Once installed, BTMOB gives attackers full remote control of the victim’s phone, including access to the camera, keystrokes, GPS location and other sensitive data. Researchers believe the creators of BeatBanker likely purchased the BTMOB malware from its developers and integrated it into their campaign, replacing the banking module used in earlier infections.

All observed infections linked to BeatBanker were detected in Brazil. Some samples distributing the BTMOB payload appeared to spread through WhatsApp messages and phishing pages.

Android trojans are widely used by cybercriminals to steal sensitive data and financial information. In recent months, researchers have identified other mobile threats, including Herodotus, a banking trojan capable of mimicking human behavior to evade detection, and Crocodilus, which manipulates victims’ contact lists to impersonate trusted phone numbers and bypass bank fraud protections.