Kaspersky's GReAT team has uncovered BeatBanker, a sophisticated Android Trojan targeting Brazilian users via a phishing site disguised as the Google Play Store. The malware spreads through a fake INSS (Brazilian social security) app and deploys multiple malicious components: an XMRig-based Monero cryptocurrency miner and a banking Trojan that overlays Binance and Trust Wallet screens to steal USDT transactions. A novel persistence mechanism plays an almost inaudible looping audio file to prevent the OS from killing the process. The malware uses Firebase Cloud Messaging as its C2 channel and monitors battery temperature, charging status, and user presence to control mining activity. Newer BeatBanker variants have replaced the banking module with BTMOB RAT — a Malware-as-a-Service remote administration tool evolved from CraxsRAT and CypherRAT — providing full device surveillance including keylogging, screen recording, camera access, and GPS tracking. IoCs and detection signatures are provided.
Table of contents
Key findings:Initial infection vectorCrypto miningBanking moduleNew BeatBanker samples dropping BTMOBVictimsConclusionIndicators of compromiseSort: