A new Android malware campaign in which cybercriminals are distributing the BeatBanker Trojan disguised as a fake version of the Starlink application, has been uncovered by cybersecurity company, Kaspersky.
The discovery was made by the company’s Global Research and Analysis Team, which warned that although the campaign currently targets users primarily in Brazil, the threat could potentially spread to victims in other countries.
Security researchers say the malicious software installs a cryptocurrency mining program and a remote access tool on infected smartphones, giving attackers extensive control over compromised devices.
Security researchers say the malicious software installs a cryptocurrency mining program and a remote access tool on infected smartphones, giving attackers extensive control over compromised devices.
Android malware: Fake Starlink app used as infection lure
According to Kaspersky, cybercriminals are distributing the malicious application through phishing websites designed to imitate the interface of the Google Play Store.
Once installed on a victim’s device, the fake app presents a user interface resembling the official app store. Victims are then tricked into granting installation permissions that allow the malware to download additional hidden components.
“At first we saw BeatBanker being distributed under the guise of a public services app; it installed a banking Trojan in addition to a cryptocurrency miner,” Fabio Assolini, Head of the Americas and Europe units at Kaspersky’s GReAT, says.
“However, our recent detection efforts uncovered a new campaign with another BeatBanker variant,” Assolini adds, “that deploys the BTMOB RAT instead of the banker module. The attackers appear to be using a fresh lure with the Starlink app to reach more victims from different countries.”
The Trojan monitors device parameters such as battery level, temperature and user activity before activating the hidden mining process to avoid detection.
Malware mines cryptocurrency, steals sensitive data
Once activated, the malware deploys a cryptocurrency miner that secretly generates Monero using the victim’s device resources.
The Trojan monitors device parameters such as battery level, temperature and user activity before activating the hidden mining process to avoid detection.
In addition to mining cryptocurrency, the malware installs the BTMOB RAT, a remote administration tool sold as Malware-as-a-Service.
This tool allows cybercriminals to gain full remote control of infected smartphones. It can automatically grant permissions, hide system notifications and capture screen lock credentials such as PINs, patterns and passwords.
The malware can also access both front and rear cameras, track GPS location and continuously collect sensitive data from the compromised device.
To prevent removal, the BeatBanker Trojan employs an unusual persistence mechanism. It maintains a fixed notification on the device while running a foreground service that plays an almost inaudible audio file on loop.
This technique prevents the Android operating system from terminating the malicious process, making the malware more difficult for users to uninstall.
Kaspersky said its security products currently detect the threat as HEUR:Trojan-Dropper.AndroidOS.BeatBanker and HEUR:Trojan-Dropper.AndroidOS.Banker.
Security advice for smartphone users
The cybersecurity company advises users to download applications only from trusted sources such as the Google Play or Apple App Store, while noting that even official app stores are not entirely risk-free.
Users are also encouraged to review application permissions carefully, check app reviews before installing software, and keep their operating systems and apps updated.
Kaspersky further recommends installing reliable mobile security solutions to detect and block malicious activity before it can compromise devices.
Home
