BeatBanker is a brand new Android malware marketing campaign focusing on customers in Brazil, combining banking fraud, crypto‑mining, and, in its newest wave, full machine takeover by way of a RAT.
It spreads virtually fully by phishing pages that mimic the Google Play Retailer and trick victims into putting in weaponized APKs disguised as legit apps and updates.
The operation begins on a counterfeit app retailer hosted at cupomgratisfood[.]store that visually mimics Google Play.
There, victims are lured with an app known as “INSS Reembolso,” posing as Brazil’s official social safety portal for advantages, statements and repair requests. By abusing this trusted model, the attackers persuade customers to sideload a malicious APK that kicks off a multi‑stage an infection.
The preliminary APK is closely packed and makes use of a local library (libludwwiuh.so) to decrypt and cargo further ELF and DEX elements purely in reminiscence.
Just lately, uncovered BeatBanker, an Android‑primarily based malware marketing campaign focusing on Brazil. It spreads primarily by phishing assaults by way of an internet site disguised because the Google Play Retailer.
To evade cell safety instruments, the loader depends on dalvik.system.InMemoryDexClassLoader, anti‑emulation checks and a self‑destruct routine if it detects evaluation environments.
As soon as working, it shows a faux Play Retailer “replace” display for INSS Reembolso to acquire set up permissions for extra hidden payloads.
Crypto Miner, Audio “Heartbeat” and C2
When the person faucets “Replace,” BeatBanker retrieves an encrypted mining payload from attacker‑managed domains reminiscent of accessor.fud2026[.]com and fud2026[.]com, then decrypts it with a key derived from the filename’s SHA‑1 hash.
ELF) named libludwwiuh.so that’s included within the software. Its principal process is to decrypt one other ELF file that may finally load the unique DEX file.
The ultimate payload is an ARM‑compiled XMRig 6.17.0 miner that connects to Monero mining swimming pools at pool.fud2026[.]com:9000 or a proxy at pool‑proxy.fud2026[.]com:9000, utilizing TLS and NiceHash‑suitable settings.
The Trojan maintains persistence by a foreground service named KeepAliveServiceMediaPlayback that loops a virtually inaudible 5‑second audio file (output8.mp3).
As a result of media playback retains the service “energetic,” Android’s useful resource administration is much less prone to kill the method, which impressed the title BeatBanker.
For command‑and‑management, the malware abuses Google’s legit Firebase Cloud Messaging (FCM) to obtain directions and telemetry, together with battery degree, temperature, charging state and person presence, after which adjusts mining exercise to keep away from detection and overheating.
Past mining, BeatBanker drops a second APK (INSS Reebolso, package deal com.vacation spot.cosmetics) that acts as a devoted banking Trojan.
It once more anchors itself by way of mounted foreground notifications and pushes the person to grant Accessibility permissions, gaining broad management over the interface.
The malware constantly displays the foreground app and particularly targets Binance and Belief Pockets throughout USDT transactions.
When a withdrawal is initiated, BeatBanker immediately overlays the actual affirmation display with a faux HTML web page saved in Base64 contained in the banking module.
Its ecosystem is actively promoted throughout GitHub, Telegram, YouTube and darkish‑internet boards, the place leaked supply code is traded, making it simpler for actors just like the BeatBanker operators to combine it as a remaining payload.
It captures the unique deal with and quantity, silently replaces the vacation spot pockets with an attacker‑managed USDT deal with by way of AccessibilityNodeInfo.ACTION_SET_TEXT, and reveals the sufferer both the copied deal with (Binance) or a loading spinner (Belief Pockets) so the fraud goes unnoticed.
The module additionally displays widespread browsers to gather visited domains and remotely open attacker‑equipped hyperlinks.
From Banker to BTMOB RAT
In a more moderen wave, the operators swapped the customized banking module for BTMOB, a robust Android RAT that advanced from CraxsRAT, CypherRAT and SpySolr and is bought in a Malware‑as‑a‑Service mannequin.
Finally, the modified byte array accommodates the unique textual content, which is then transformed to UTF-8 and returned as a string.
These samples have been seen posing as a fraudulent StarLink software and reuse the identical methods: faux Play‑type pages, looping audio, mounted notifications and bundled crypto miner.
BTMOB is closely obfuscated however retains a wealthy characteristic set: persistent background execution, safety in opposition to uninstall and reset, actual‑time display recording, keylogging, stay display sharing, file and SMS management, and entry to each cameras and GPS.
Up to now, all noticed BeatBanker variants – each banker and BTMOB‑primarily based – have been detected on Android customers in Brazil, with proof that some BTMOB infections additionally propagate by way of WhatsApp hyperlinks alongside phishing pages.
The marketing campaign reveals how cell threats now mix stealthy mining, monetary fraud and full distant management right into a single, persistent implant.
To cut back publicity, Android customers ought to: solely set up apps from official shops and confirm publishers, scrutinize requests for Accessibility and “set up unknown apps” permissions, and maintain each the OS and cell safety instruments totally up to date.
Enterprise defenders also needs to monitor for connections to the listed BeatBanker and BTMOB infrastructure and block recognized domains reminiscent of cupomgratisfood[.]store and fud2026[.]com on the community layer.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most popular Supply in Google.
