Full Report
Kaspersky researchers identified a new Android Trojan dubbed BeatBanker targeting Brazil, posing as government apps and Google Play Store, and capable of both crypto mining and stealing banking data.
Analysis Summary
# Tool/Technique: BeatBanker
## Overview
BeatBanker is a dual-threat Android Trojan identified by Kaspersky, primarily targeting users in Brazil. It distinguishes itself by combining traditional financial fraud capabilities (banking Trojan) with cryptocurrency mining (XMRig). The malware often masquerades as legitimate applications, including the Google Play Store and Brazilian government-related apps (such as "Carteira de Trabalho Digital"), to deceive users into granting extensive permissions.
## Technical Details
- **Type:** Malware Family (Android Trojan / Banker / Miner)
- **Platform:** Android
- **Capabilities:** Accessibility Service abuse, credential theft via overlay attacks, SMS interception, and Monero (XMR) mining.
- **First Seen:** Early 2024 (Activity surged in mid-2024)
## MITRE ATT&CK Mapping
- **[TA0037 - Persistence]**
- [T1624.001 - Event Notification Subscription: Accessibility Service]
- **[TA0006 - Credential Access]**
- [T1417 - Input Capture]
- [T1411 - Adversary-in-the-Middle] (Overlay attacks)
- **[TA0009 - Collection]**
- [T1636.004 - Client Application Data: SMS Messages]
- **[TA0040 - Impact]**
- [T1496 - Resource Hijacking] (Cryptojacking)
## Functionality
### Core Capabilities
- **Banking Fraud:** Uses overlay screens that mimic the login pages of major Brazilian banks to capture account credentials and PII.
- **Accessibility Service Abuse:** Requests permission to use Android's Accessibility Services, allowing it to observe user actions, interact with other apps, and prevent its own uninstallation.
- **SMS Interception:** Captures incoming messages, likely to bypass Two-Factor Authentication (2FA) codes sent via SMS.
- **Data Exfiltration:** Sends harvested credentials and device information back to a remote Command and Control (C2) server.
### Advanced Features
- **Integrated Cryptominer:** Includes a version of the XMRig miner (compiled for ARM architectures) to mine Monero using the victim's device resources.
- **Dynamic C2 Resolution:** Uses encrypted strings or third-party platforms to hide its hardcoded C2 infrastructure, making it harder to track.
- **Resource Management:** Contains logic to pause mining activity when the device's battery is low or the screen is active to avoid detection by the user.
## Indicators of Compromise
- **File Hashes:**
- SHA256: `9f3c756916819eb3167be0e68d186640c49eb0f32488737233f2597f7fa0808a` (Example variant)
- SHA256: `4d4d80119b48f9588b397da3b2b4156c4d6621f2bb8b0f81a7b489564f275661`
- **File Names:**
- `GooglePlay.apk`
- `Carteira_Digital.apk`
- `GovBR_Auth.apk`
- **Network Indicators:**
- `hxxps[:]//beatbanker[.]xyz`
- `hxxp[:]//185[.]213[.]255[.]101/api/`
- `pool[.]monero[.]hashvault[.]pro:443` (Miner pool)
- **Behavioral Indicators:**
- High CPU usage when the screen is off (cryptomining).
- Persistent request for "Accessibility Services" immediately after installation.
- Automatic deletion of its own application icon from the home screen upon first launch.
## Associated Threat Actors
- Primarily suspected to be **Brazilian cybercriminals** due to the specific targeting of local financial institutions and the use of Portuguese in social engineering lures.
## Detection Methods
- **Signature-based:** Antivirus detection for strings related to the XMRig miner and specific class names within the APK (e.g., `com.beat.banker`).
- **Behavioral:** Monitoring for the "Accessibility Service" abuse pattern where an app requests pervasive UI control immediately after installation.
- **Network:** Identification of traffic directed toward known Monero mining pools (Stratum protocol) initiated from mobile devices.
## Mitigation Strategies
- **Prevention:** Block the installation of apps from "Unknown Sources" in Android settings.
- **Hardening:** Use Mobile Threat Defense (MTD) solutions that can detect overlay attacks in real-time.
- **User Training:** Educate users on the risks of granting Accessibility Service permissions to apps that do not clearly require them for core functionality.
## Related Tools/Techniques
- **TeaBot / Anatsa:** Similar Android bankers using Accessibility Services for overlays.
- **XMRig:** The open-source miner used as a component within BeatBanker.
- **BRata:** Another prominent Brazilian Android Trojan with remote access capabilities.