Kaspersky researchers identified a new Android Trojan dubbed BeatBanker targeting Brazil, posing as government apps and Google Play Store, and capable of both crypto mining and stealing banking data.

Securelist is a cybersecurity blog and research platform operated by Kaspersky Lab. It offers insights, analysis, and reports on cybersecurity threats, vulnerabilities, and malware campaigns. Developers can learn about emerging cyber threats, security best practices, and mitigation strategies to protect their applications and systems. Additionally, Securelist provides insights into cybersecurity trends, threat intelligence, and industry developments, offering resources for cybersecurity professionals.

Securelist

Kaspersky's GReAT team has uncovered BeatBanker, a sophisticated Android Trojan targeting Brazilian users via a phishing site disguised as the Google Play Store. The malware spreads through a fake INSS (Brazilian social security) app and deploys multiple malicious components: an XMRig-based Monero cryptocurrency miner and a banking Trojan that overlays Binance and Trust Wallet screens to steal USDT transactions. A novel persistence mechanism plays an almost inaudible looping audio file to prevent the OS from killing the process. The malware uses Firebase Cloud Messaging as its C2 channel and monitors battery temperature, charging status, and user presence to control mining activity. Newer BeatBanker variants have replaced the banking module with BTMOB RAT — a Malware-as-a-Service remote administration tool evolved from CraxsRAT and CypherRAT — providing full device surveillance including keylogging, screen recording, camera access, and GPS tracking. IoCs and detection signatures are provided.

BeatBanker: both banker and miner for Android