Ethical Hacking News
BeatBanker, a new Android malware discovered by Kaspersky researchers, disguises itself as the Starlink app on compromised websites to hijack devices, combining banking trojan functions with Monero mining capabilities. Learn more about this newly discovered threat and how you can protect yourself from similar attacks.
BeatBanker is a new Android malware that poses as a legitimate Starlink app on websites masquerading as the official Google Play Store. The malware combines banking trojan functions with Monero mining capabilities to steal credentials and tamper with cryptocurrency transactions. The malware uses continuous playback of an inaudible recording to maintain persistence even when the device is inactive. The malware sends information about the device's battery level, temperature, and usage activity to a C2 server using Firebase Cloud Messaging (FCM). The malware employs a modified XMRig miner version to mine Monero on Android devices, connecting to attacker-controlled mining pools. Users are advised not to download APKs from outside the official Google Play store and review granted permissions for apps with suspicious capabilities. Regular Play Protect scans can help prevent infections and mobile device owners should remain vigilant to secure their Android devices.
BeatBanker, a new Android malware, has been discovered that poses as a legitimate Starlink app on websites masquerading as the official Google Play Store. This malicious activity is designed to trick users into installing the malware, which can then hijack their devices for various nefarious purposes.
According to recent research by Kaspersky, BeatBanker combines banking trojan functions with Monero mining capabilities, allowing it to steal credentials and tamper with cryptocurrency transactions. The malware's persistence is maintained through a unique method involving continuous playback of a nearly inaudible 5-second recording of Chinese speech from an MP3 file named output8.mp3.
This innovative approach ensures that the system remains active even when the device is inactive, preventing it from being terminated by the operating system. By utilizing Firebase Cloud Messaging (FCM), the malware continuously sends information about the device's battery level, temperature, charging status, usage activity, and overheating status to its command-and-control (C2) server.
The BeatBanker malware also employs a modified XMRig miner version 6.17.0, compiled for ARM devices, which is used to mine Monero on Android devices. This process involves connecting to attacker-controlled mining pools using encrypted TLS connections and falling back to a proxy if the primary address fails.
Furthermore, the malware can be dynamically started or stopped based on device conditions, ensuring optimal operation and maintaining stealth. The attackers closely monitor these conditions to ensure that the miner remains active when it is feasible, thereby hiding the malicious activity from detection.
Researchers have observed all BeatBanker infections in Brazil but note that the malware could potentially expand to other countries if proven effective. As a result, Android users are advised not to download APKs from outside the official Google Play store unless they trust the publisher or distributor and to review granted permissions for apps with suspicious or unnecessary capabilities.
Regular Play Protect scans can also help prevent infections. To safeguard themselves against similar threats, mobile device owners should remain vigilant and take proactive steps to secure their Android devices.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Malware-Discovered-BeatBanker-Targets-Starlink-App-to-Hijack-Devices-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-beatbanker-android-malware-poses-as-starlink-app-to-hijack-devices/
https://www.kaspersky.co.uk/about/press-releases/kaspersky-uncovers-a-new-android-malware-campaign-disguised-as-starlink-application
https://www.pcmag.com/news/hacker-uses-fake-starlink-app-to-mine-crypto-on-android-phones
https://decrypt.co/331195/cryptojacking-resurfaces-as-monero-miner-malware-hits-3500-sites-report
https://mrw.getmonero.org/
https://www.pcrisk.com/removal-guides/12964-xmrig-virus
https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/xmrig-malware/
Published: Tue Mar 10 19:07:39 2026 by llama3.2 3B Q4_K_M
