BeatBanker Android Malware Campaign Impersonating Starlink and Government Apps
Kaspersky reported a new Android malware campaign dubbed BeatBanker targeting users in Brazil, distributed via phishing sites that closely mimic the Google Play Store and lure victims into installing trojanized APKs posing as legitimate apps such as Starlink and the Brazilian government services app INSS Reembolso. The infection chain is staged to reduce suspicion: an initial decoy app presents a fake in-app “update” flow that prompts users to grant permission to install additional apps/modules, after which the malware pulls down further payloads and requests expanded privileges.
Technical reporting indicates BeatBanker blends banking trojan capabilities with cryptomining (including a modified XMRig), and newer variants may deploy the commodity Android RAT BTMOB in place of the banking module, enabling broad device takeover (e.g., keylogging, screen recording, camera access, GPS tracking, and credential capture). The malware uses evasion techniques such as decrypting and loading hidden DEX code in-memory, performing anti-analysis environment checks, delaying malicious actions post-install, and maintaining persistence by continuously playing a near-inaudible MP3 (output8.mp3) to keep a foreground service alive and reduce the likelihood of the process being suspended by Android power management.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Kaspersky publicly discloses BeatBanker and BTMOB campaign details
Kaspersky published its findings on the BeatBanker Android malware campaign, describing its infection chain, Firebase Cloud Messaging-based command-and-control, mining behavior, and BTMOB-linked variants. The company warned the activity was currently concentrated in Brazil but could expand further.
Newer BeatBanker variants begin deploying BTMOB RAT
Kaspersky reported that more recent variants replaced or supplemented the banking module with the BTMOB remote-access trojan. This expanded the campaign from financial theft and mining to full device surveillance and control, including keylogging, screen recording, camera access, and geolocation tracking.
Researchers identify stealth persistence and evasion techniques in BeatBanker
Analysis showed BeatBanker decrypts and loads hidden code in memory, performs anti-analysis checks, and uses fake Play Store update prompts to gain permissions and fetch additional payloads. It also maintains persistence by running a foreground service that plays a nearly inaudible looping audio file and can throttle mining based on device conditions.
BeatBanker uses banking theft, crypto hijacking, and Monero mining
Researchers found the malware combines banking-trojan functions with cryptocurrency theft and covert Monero mining on infected Android devices. It steals credentials, abuses accessibility and overlays, and can tamper with wallet transactions by replacing recipient addresses.
BeatBanker campaign targets Android users in Brazil via fake app sites
Kaspersky observed a newly identified Android malware campaign in Brazil distributing trojanized apps through phishing pages that mimic the Google Play Store. The lures impersonated services including Starlink and the Brazilian government-themed "INSS Reembolso" app.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets
thehackernews.com
Open sourceFake government and Starlink apps used in malware campaign targeting Brazil | The Record from Recorded Future News
therecord.media
Open sourceNew dual-purpose BeatBanker Android malware examined | brief | SC Media
scworld.com
Open sourceBeatBanker malware targets Android users with banking Trojan and crypto miner
securityaffairs.com
Open sourceBeatBanker Android Trojan Uses Silent Audio Loop to Steal Crypto
hackread.com
Open sourceBeatBanker and BTMOB trojans: infection techniques and how to stay safe | Kaspersky official blog
kaspersky.com
Open sourceNew BeatBanker Android malware poses as Starlink app to hijack devices
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Four Android Banking Trojans Target 800+ Apps With MFA-Bypassing Overlays
Zimperium zLabs identified four Android malware families—**RecruitRat, SaferRat, Astrinox, and Massiv**—in active campaigns targeting users of more than **800 banking, cryptocurrency, and social media apps**. The malware is being spread through phishing sites, smishing messages, fake job application and streaming lures, counterfeit app-store pages, and bogus updates that trick victims into installing malicious APKs. Researchers said the campaigns rely heavily on overlay attacks, with fake login screens placed over legitimate apps to steal credentials; **RecruitRat** alone reportedly includes more than **700** fraudulent login pages. Once installed, the trojans abuse Android features including **Accessibility Services**, the **Session Installation API**, **MediaProjection**, overlays, and **WebView** to gain persistence, intercept SMS and one-time passwords, log keystrokes, enumerate apps, steal contacts, freeze screens, stream displays, and remotely control infected devices. The malware also uses anti-analysis techniques such as APK tampering, encrypted strings, reflection, dynamic DEX loading, and environment-aware execution, while command-and-control traffic is sent over HTTPS or WebSockets, with RecruitRat additionally using **RC4** encryption. Researchers warned the activity creates enterprise risk because infected employee devices can enable account takeover, bypass MFA, and expose corporate resources.
Apr 20, 2026
Android Banking Trojan Masquerades as News and ID Apps to Steal Credentials and Crypto
A sophisticated Android banking Trojan, identified as Android/BankBot-YNRK, has been discovered targeting users primarily in Indonesia and potentially other Southeast Asian countries. The malware disguises itself as legitimate applications, including news readers and digital ID apps such as "Identitas Kependudukan Digital," to trick users into installation. Once installed, it leverages Android's accessibility features and device administrator privileges to gain extensive control over the device, allowing it to read on-screen content, simulate user actions, and overlay fake login screens on top of real banking and cryptocurrency apps to harvest credentials. The Trojan employs advanced evasion techniques, such as checking for emulators to avoid detection, obfuscating its code, and muting device notifications to operate stealthily. It connects to a remote command-and-control server to exfiltrate sensitive data, including banking credentials and cryptocurrency wallet keys, and can receive further instructions to update itself or erase traces. The malware's primary objective is financial theft, enabling attackers to drain victims' bank accounts and crypto wallets without their knowledge. Security researchers note that the malware's abuse of accessibility permissions is mitigated in Android 14, which requires explicit user approval for such access, but devices running Android 13 and earlier remain vulnerable.
Mar 21, 2026
Scams and Malware Abusing Google Branding to Steal Cryptocurrency
Security researchers reported multiple campaigns abusing *Google* branding to drive crypto theft. Malwarebytes identified a polished fraudulent “presale” site promoting a fake token called **“Google Coin”** and embedding a chatbot that impersonates **Google Gemini**; the bot delivers a scripted investment pitch, cites specific token pricing and a “2026 roadmap,” and steers victims toward sending irreversible cryptocurrency payments while avoiding verifiable corporate, regulatory, or registration details. Separately, Kaspersky’s Securelist detailed **BeatBanker**, an Android malware campaign targeting Brazil that spreads via phishing to a website masquerading as the **Google Play Store** (e.g., `cupomgratisfood[.]shop`) and distributing trojanized APKs such as a fake “INSS Reembolso” app. The malware combines a **cryptominer** with a **banking Trojan** capable of device hijacking and screen overlays, including swapping destination addresses during **USDT** transactions in apps like *Binance* and *Trust Wallet*; newer samples reportedly replaced the banking module with **BTMOB RAT** while retaining the broader infection chain and persistence techniques (including looping near-inaudible audio to resist termination).
Mar 21, 2026