Banking trojans and cryptominers have historically operated as separate threat categories on Android. BeatBanker combines both, and a new analysis details how it evades detection while doing so.
Researchers at Kaspersky discovered the malware targeting users in Brazil, distributed as an APK file disguised as a Starlink app on websites designed to mimic the official Google Play Store. According to the report, the malware uses native libraries to decrypt and load hidden DEX code directly into memory, performing environment checks before executing to confirm it is not running inside an analysis sandbox. If those checks pass, it presents victims with a fake Play Store update screen to obtain permissions for installing additional payloads.
A persistence mechanism built around audio
BeatBanker’s method of staying alive on a device is atypical. The malware continuously plays a nearly inaudible 5-second recording of Chinese speech from an MP3 file named output8.mp3. The Kaspersky report explains that the KeepAliveServiceMediaPlayback component “ensures continuous operation by initiating uninterrupted playback via MediaPlayer,” keeping the service active in the foreground through a notification. The constant audio activity prevents the operating system from suspending or terminating the process due to inactivity. The malware also delays malicious operations for a period after installation to avoid triggering security alerts.
The most recent version observed by researchers drops the banking module in favor of BTMOB RAT, a commodity Android remote access trojan that gives operators full device control, keylogging, screen recording, camera access, GPS tracking, and credential capture.
Mining Monero on idle devices
The cryptomining component uses a modified version of XMRig 6.17.0, compiled for ARM devices, to mine Monero. The miner connects to attacker-controlled pools over encrypted TLS connections, with a proxy fallback if the primary address is unavailable.
Operators manage the miner’s activity through Firebase Cloud Messaging, which the malware uses to continuously relay device battery level, temperature, charging status, usage activity, and overheat status back to the command-and-control server. Mining starts and stops dynamically based on those conditions — running when the device is idle and pausing when in active use — reducing the physical signals that might alert a user.
More Read
Beyond cryptocurrency theft through transaction tampering and credential harvesting, the banking trojan module also targets financial data directly. While all confirmed infections observed by Kaspersky are located in Brazil, the firm notes the malware could expand geographically if its operators find the campaign effective.
The practical defensive steps the report identifies are consistent with baseline Android security: avoid side-loading APKs from outside the official Google Play Store unless the publisher is trusted, audit app permissions for anything inconsistent with stated functionality, and run regular Play Protect scans.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
