BEATBANKER is an Android malware campaign that combines banking trojan capabilities with cryptocurrency mining. It spreads via fake Starlink apps on websites imitating the Google Play Store, where the malicious APKs hijack devices, steal credentials, and mine Monero, sometimes maintaining long‑term remote control of infected phones.
The campaign, primarily targeting Brazil, uses phishing pages and WhatsApp to distribute the payload and pursue persistent access, with newer attacks swapping the banker component for a RAT to maintain control and communications with mining pools. According to the report published by Kaspersky, BeatBanker disguises itself as legitimate apps and even as the Play Store, loading hidden malware in memory to evade mobile antivirus detection.
It uses Firebase Cloud Messaging as a command-and-control channel, checks device conditions before starting or stopping the miner, and maintains persistence via a foreground service that plays a silent audio loop. The latest variant introduces BTMOB RAT, linked to CraxsRAT and CypherRAT, enabling full device control and additional malicious capabilities.