BEATBANKER is a dual‑mode Android Trojan described by GReAT researchers, targeting Brazil and spreading primarily through phishing on a counterfeit website that mimics the Google Play Store. The malware payload includes both a cryptocurrency miner and a banking Trojan, with later campaigns switching to a known RAT variant called BTMOB while dropping the banking module in some samples.
For persistence, BeatBanker keeps itself alive with a looping near‑inaudible audio track and a fixed foreground notification, and it even uses a foreground service with silent media playback to resist termination. Its C2 communications rely on Google’s Firebase Cloud Messaging, and the malware monitors battery status and device usage to decide when to act.
The banking module can overlay Binance and Trust Wallet screens to substitute the destination USDT address during transactions, while newer BeatBanker samples have introduced the BTMOB RAT, expanding its MaaS capabilities and remote control features. Victims have been detected in Brazil across variants, including those delivered via WhatsApp in some cases.