Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

BeatBanker

BeatBanker is an Android malware family/campaign targeting users in Brazil. It is distributed primarily through phishing pages and bogus websites masquerading as the Google Play Store, including lures posing as Brazilian government apps such as “INSS Reembolso” and as a fake Starlink app. Kaspersky identified it as a new Android Trojan that combines banking-trojan behavior with cryptocurrency mining, specifically Monero mining via a modified XMRig 6.17.0 component compiled for ARM devices.

The malware uses a staged installation flow to obtain permissions and deliver additional encrypted modules. Reported behavior includes anti-analysis and environment checks to verify it is running on a real device and in the target country, in-memory decryption/loading of hidden DEX code, and a fake Play Store update screen used to prompt installation of further payloads. BeatBanker establishes persistence by running a foreground service that continuously plays an almost inaudible 5-second MP3 containing Chinese speech, and it may also display a persistent system-update style notification. It uses Google Firebase Cloud Messaging (FCM) for command-and-control and telemetry, including battery level, temperature, charging state, user activity, and overheating status, allowing operators to start or stop mining to reduce visibility.

Financially motivated capabilities described in the reporting include theft of banking data, credential theft, monitoring of browser activity and visited URLs, interception of one-time codes from Google Authenticator, clipboard monitoring, keystroke interception, SMS sending, audio recording, screen streaming/recording, and simulated taps/text input. BeatBanker also creates overlays for Binance and Trust Wallet and can replace destination addresses during USDT transactions, effectively tampering with cryptocurrency transfers. Earlier reporting describes it as targeting Brazilian banks and PIX-related payment infrastructure more broadly.

Recent BeatBanker variants reportedly replaced the banking module with BTMOB RAT instead of the original banking component. In those variants, BTMOB provides broader remote-access and surveillance functionality, including persistent access, full device control, keylogging, credential capture, screen recording, camera access, and GPS tracking.

High-confidence infrastructure and indicators directly mentioned in the content include the phishing domain cupomgratisfood[.]shop; mining-related domains/access points accessor.fud2026.com, fud2026.com, pool.fud2026[.]com:9000, and pool-proxy.fud2026[.]com:9000; the persistence audio file output8.mp3; and targeted package/application names including Binance, Trust Wallet, and the lure apps “INSS Reembolso” and fake Starlink installers.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

22 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence3

"BeatBanker, which spreads primarily through phishing attacks via a website disguised as the Google Play Store."

Execution

1 technique
T1204User ExecutionEvidence3

"Installation of an APK file purporting to be the Starlink app" ... "warned against sideloading APKs from external stores."

Persistence

3 techniques
T1543Create or Modify System ProcessEvidence1

"keeps a notification... pinned to the foreground and activates a foreground service" | "plays an almost inaudible audio file on a loop so it cannot be terminated"

T1546.015Component Object Model HijackingEvidence1

"creates overlay pages for Binance and Trust Wallet" and "Requests Draw Over Other Apps permission (overlay)"

T1547Boot or Logon Autostart ExecutionEvidence1

"After playing an almost inaudible five-second Chinese MP3 recording for persistence"

Privilege Escalation

4 techniques
T1055Process InjectionEvidence1

"the fake update downloader injects modules directly into RAM to avoid creating files"

T1543Create or Modify System ProcessEvidence1

"keeps a notification... pinned to the foreground and activates a foreground service" | "plays an almost inaudible audio file on a loop so it cannot be terminated"

T1546.015Component Object Model HijackingEvidence1

"creates overlay pages for Binance and Trust Wallet" and "Requests Draw Over Other Apps permission (overlay)"

T1547Boot or Logon Autostart ExecutionEvidence1

"After playing an almost inaudible five-second Chinese MP3 recording for persistence"

Stealth

6 techniques
T1027Obfuscated Files or InformationEvidence3

"All components of the trojan are encrypted."

T1036MasqueradingEvidence5

BeatBanker targeting Brazil, posing as government apps and Google Play Store

T1055Process InjectionEvidence1

"the fake update downloader injects modules directly into RAM to avoid creating files"

T1497Virtualization/Sandbox EvasionEvidence5

"Besides incorporating runtime checks for emulated or analysis environments"; "advanced evasion techniques, such as native library encryption, rolling XOR string obfuscation"

T1497.003Time Based ChecksEvidence1

"To avoid triggering any alarms, BeatBanker delays malicious operations for a period after its installation."

T1620Reflective Code LoadingEvidence1

"bypass mobile antivirus products by utilizing dalvik.system.InMemoryDexClassLoader. It loads malicious DEX code directly into memory"

Credential Access

3 techniques
T1056Input CaptureEvidence3

capable of both crypto mining and stealing banking data

T1056.001KeyloggingEvidence1

"KBO<*>... Enables... the keylogger" and "capture screen lock credentials, including PINs, patterns, and passwords"

T1555Credentials from Password StoresEvidence1

"...features both banking trojan... capabilities" and "BeatBanker proceeds to launch a banking trojan"

Discovery

3 techniques
T1082System Information DiscoveryEvidence1

"...sends... information about the device’s battery level and temperature, charging status, usage activity, and whether it has overheated."

T1497Virtualization/Sandbox EvasionEvidence5

"Besides incorporating runtime checks for emulated or analysis environments"; "advanced evasion techniques, such as native library encryption, rolling XOR string obfuscation"

T1497.003Time Based ChecksEvidence1

"To avoid triggering any alarms, BeatBanker delays malicious operations for a period after its installation."

Collection

4 techniques
T1056Input CaptureEvidence3

capable of both crypto mining and stealing banking data

T1056.001KeyloggingEvidence1

"KBO<*>... Enables... the keylogger" and "capture screen lock credentials, including PINs, patterns, and passwords"

T1113Screen CaptureEvidence2

"Streaming the screen in real-time"

T1123Audio CaptureEvidence2

"Recording audio from the microphone"

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence1

"Using Firebase Cloud Messaging (FCM), the malware continuously sends the command-and-control (C2) server information about the device’s battery level and temperature..."

T1102Web ServiceEvidence2

"authors leverage Google’s legitimate Firebase Cloud Messaging (FCM)... attackers can monitor the device’s status and change its settings"

T1105Ingress Tool TransferEvidence2

"...display of a counterfeit Play Store update screen that permits further payload delivery"

Exfiltration

1 technique
T1020Automated ExfiltrationEvidence1

"...credential exfiltration..."

Impact

1 technique
T1496Resource HijackingEvidence6

capable of both crypto mining and stealing banking data

INDICATORS OF COMPROMISE

IOCs tracked for this family

13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app11 days ago
domain●●●●●●●●●●●●View more in app11 days ago
domain●●●●●●●●●●●●View more in app11 days ago
domain●●●●●●●●●●●●View more in app11 days ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
the hacker newsNews
Mar 20, 2026
Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams

Named as one of 17 Android malware families detected in the wild over four months.

Read more
breakglass intelNews
Mar 12, 2026
SpyAgent Trojan Impersonates Brazilian Loyalty App With Chinese-Signed Dropper - Breakglass Intelligence - Breakglass Intelligence

Android malware/tooling referenced as using Firebase for C2 and Monero mining while targeting Brazilian PIX payment infrastructure.

Read more
the hacker newsNews
Mar 12, 2026
Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Android malware targeting Brazilian users; spreads via phishing/fake Play Store pages, uses an unusual audio-loop persistence trick, includes a banking trojan component with crypto transaction overlays (e.g., Binance/Trust Wallet) and a Monero miner; uses FCM for C2 and supports extensive remote commands.

Read more
scworldNews
Mar 11, 2026
New dual-purpose BeatBanker Android malware examined | brief | SC Media

Android malware distributed as a fake Starlink app via bogus Play Store sites. Performs anti-analysis checks, shows a fake Play Store update screen to enable additional payload delivery, establishes persistence (via playing a low-audible MP3), and deploys a banking trojan module and a cryptominer. Newer versions reportedly replace the banking module with a RAT for full device compromise (screen recording, credential theft, keylogging, camera/GPS access).

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching13

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping22

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.