BeatBanker is a new Android malware discovered by Kaspersky that poses as a Starlink app on fake Google Play Store sites to trick users into sideloading an APK that combines banking trojan functions, Monero mining, and now deploys the BTMOB RAT. It evades detection by loading hidden DEX code, delaying malicious actions, maintaining persistence via a near-inaudible MP3 loop, and using a modified XMRig miner plus FCM telemetry to optimize stealthy mining and remote access. #BeatBanker #BTMOB #XMRig #Monero #Starlink
Keypoints
- BeatBanker masquerades as a Starlink app on fake Google Play Store websites to lure users into sideloading an APK.
- The APK uses native libraries to decrypt and load hidden DEX code in memory and performs environment checks to avoid analysis.
- Recent campaigns in Brazil show BeatBanker deploys BTMOB RAT, granting full remote access, keylogging, screen and camera control, and GPS tracking.
- It mines Monero using a modified XMRig compiled for ARM and adapts mining based on device conditions via FCM telemetry.
- Persistence is maintained by continuously playing a nearly inaudible MP3 in the foreground to prevent the system from suspending the service.