Full Report
A new Android malware named BeatBanker can hijack devices and tricks users into installing it by posing as a Starlink app on websites masquerading as the official Google Play Store. [...]
Analysis Summary
# Tool/Technique: BeatBanker
## Overview
BeatBanker is a multi-functional Android malware family that initially emerged as a banking trojan and Monero (XMR) miner. It is primarily distributed via social engineering, posing as legitimate applications—such as Starlink—on fraudulent websites designed to mimic the Google Play Store. Recent iterations have evolved to deliver additional payloads, including the BTMOB RAT, transitioning the malware into a full-device hijacking tool.
## Technical Details
- **Type:** Malware family (Banking Trojan / Miner / Loader)
- **Platform:** Android
- **Capabilities:** Credential theft, cryptocurrency mining, remote access (via BTMOB RAT), persistence via audio playback, and sandbox evasion.
- **First Seen:** Reported March 10, 2026
## MITRE ATT&CK Mapping
- **[TA0027 - Persistence]**
- [T1622 - Video/Audio Capture (Abuse of MediaPlayer for KeepAlive)]
- **[TA0031 - Defense Evasion]**
- [T1406 - Obfuscation / Native Library Decryption]
- [T1497 - Virtualization/Sandbox Evasion]
- **[TA0034 - Credential Access]**
- [T1411 - Input Injection / Overlay Attack]
- **[TA0009 - Collection]**
- [T1512 - Screen Capture]
- [T1430 - Location Tracking]
- **[TA0040 - Impact]**
- [T1496 - Resource Hijacking (Cryptomining)]
## Functionality
### Core Capabilities
- **Social Engineering:** Uses "fake Play Store update" screens to trick victims into granting excessive permissions.
- **Payload Loading:** Employs native libraries to decrypt and load hidden DEX code into memory, bypassing traditional file-based scanners.
- **Monero Mining:** Integrates a modified version of XMRig (v6.17.0) compiled for ARM, connecting to attacker-controlled pools via encrypted TLS.
- **C2 Communication:** Utilizes Firebase Cloud Messaging (FCM) to relay device telemetry (battery, temperature, and charging status).
### Advanced Features
- **Acoustic Persistence:** Uses a `KeepAliveServiceMediaPlayback` component that loops a 5-second, nearly inaudible MP3 file (*output8.mp3*). This prevents the Android OS from suspending the malicious process due to inactivity.
- **Dynamic Resource Management:** Automatically pauses mining operations if the device overheats or is actively being used by the victim to avoid detection.
- **Modular Delivery:** Capable of swapping banking modules for the **BTMOB RAT**, which offers full remote control, including camera access, keylogging, and GPS tracking.
## Indicators of Compromise
- **File Names:**
- `output8.mp3` (Persistence trigger)
- Starlink-themed APK installers
- **Network Indicators:**
- [hxxp]://masqueraded-play-store[.]com (Example of distribution vector)
- C2 communication via Firebase Cloud Messaging (FCM)
- **Behavioral Indicators:**
- Unexpected Foreground Service notifications for "Media Playback."
- Significant battery drain/overheating when the screen is off.
- Requests for "Install Unknown Apps" or "Accessibility Services" permissions under the guise of an "Update."
## Associated Threat Actors
- Currently unattributed, though campaigns specifically target users in **Brazil**.
## Detection Methods
- **Signature-based detection:** Monitoring for the "output8.mp3" file hash and specific DEX loader signatures in memory.
- **Behavioral detection:** Identifying apps that maintain constant MediaPlayer activity without user-facing audio/video content.
- **Monitoring:** Detecting unauthorized XMRig network traffic over TLS to known mining pool ports.
## Mitigation Strategies
- **Prevention:** Disable "Install from Unknown Sources" and only download applications from the official Google Play Store.
- **Hardening:** Regularly perform Google Play Protect scans and review "Accessibility Services" permissions for suspicious entries.
- **User Education:** Train users to recognize that official Google Play Store updates do not occur via in-app browser pop-ups or external APK downloads.
## Related Tools/Techniques
- **BTMOB RAT:** The remote access trojan deployed as a secondary payload by newer BeatBanker variants.
- **XMRig:** The open-source miner modified for use within the BeatBanker framework.
- **Overlay Attacks:** A technique common to Brazilian banking trojans used by BeatBanker to steal credentials.