BeatBanker is a sophisticated Android malware campaign primarily targeting users in Brazil through phishing sites mimicking the Google Play Store. The infection begins with a packed APK that utilizes native ELF libraries to decrypt and load malicious DEX code directly into memory, effectively bypassing traditional mobile antivirus detection. Once established, the malware ensures long-term persistence through an inventive mechanism of looping a nearly inaudible audio file, which prevents the operating system from suspending or terminating the malicious background process.
The malware operates a dual-payload strategy, deploying an XMRig cryptocurrency miner alongside a modular banking Trojan or, in more recent variants, the BTMOB remote administration tool (RAT). It leverages Android Accessibility Services to perform overlay attacks on financial applications like Binance and Trust Wallet, surreptitiously redirecting USDT transactions to attacker-controlled addresses. By monitoring battery levels, temperature, and user activity via Firebase Cloud Messaging (FCM), BeatBanker maintains a stealthy and persistent presence on compromised devices.
Top comments (0)