Recently, researchers uncovered BeatBanker, an Android malware campaign mainly targeting users in Brazil. The malware spreads through phishing attacks using a fake website that imitates the Google Play Store.

The malicious APK files contain multiple harmful components, including:

a cryptocurrency miner
a banking Trojan capable of hijacking the device
screen spoofing capabilities
other surveillance and control functions

In newer campaigns, attackers replaced the banking Trojan with a known Remote Access Trojan (RAT).

This article explains how the malware infects devices, how it maintains persistence, and how it communicates with mining pools and command-and-control (C2) infrastructure.

Key Findings

The malware uses a unique persistence trick: it continuously plays an almost inaudible audio file so the operating system does not terminate the process. This behavior inspired the name BeatBanker.
It monitors battery temperature, battery percentage, and device usage.
At different stages of the attack, BeatBanker pretends to be legitimate apps, including the Google Play Store.
It deploys both a banking Trojan and a cryptocurrency miner.
During USDT transactions, it overlays fake screens for Binance and Trust Wallet, secretly replacing the destination address with the attacker’s address.
New samples drop the BTMOB RAT instead of the banking module.

Initial Infection Vector

The campaign starts with a fake website: cupomgratisfood[.]shop

This website perfectly imitates the Google Play Store. It hosts a malicious app called “INSS Reembolso.” Other apps are also available on the site and are likely Trojans, but researchers have not yet obtained them.

The INSS Reembolso app pretends to be the official mobile portal of Brazil’s Instituto Nacional do Seguro Social (INSS). The real INSS platform allows users to perform more than 90 social security services, including:

retirement applications
scheduling medical exams
viewing CNIS (National Registry of Social Information)
checking taxes and payments
tracking service requests

Because the platform is widely trusted, users are more likely to download the malicious APK.

Packing and Obfuscation

The initial APK is packed and contains a native shared library:

libludwwiuh.so

Its purpose is to decrypt another ELF file, which eventually loads the original DEX file.

Steps involved:

libludwwiuh.so decrypts an encrypted embedded ELF file.
The file is dropped into a temporary location.

The application loads this file.
It uses Java Native Interface (JNI) to continue execution.

l.so – DEX Loader

The loader hides Java method names using XOR-encrypted stack strings, which are decrypted during runtime.

The loader first collects network information using: https://ipapi.is

It checks:

whether the device is mobile
if a VPN is active
the device’s IP address
other network details

Antivirus Evasion

The loader bypasses mobile antivirus tools by using:

dalvik.system.InMemoryDexClassLoader

This technique loads malicious DEX code directly into memory, meaning no files are written to disk.

Researchers can extract the DEX using dynamic analysis tools like Frida.

The malware also includes anti-analysis techniques, such as detecting:

emulators
analysis environments
unsupported CPU architectures

If such conditions are detected, the malware terminates itself using:

android.os.Process.killProcess(android.os.Process.myPid())

Fake Play Store Update

After execution, the malware displays a fake Google Play Store page showing an update for the INSS Reembolso app.

The victim is prompted to click “Update.”

This action grants installation permissions and allows the malware to download additional payloads.

The update process uses the permission:

REQUEST_INSTALL_PACKAGES

This allows the malware to install APKs outside the Google Play ecosystem.

To remain active, the malware:

pins a system update notification
activates a foreground service
continuously plays silent media

This prevents Android from terminating the process.

Cryptocurrency Mining

When the user presses UPDATE, the malware downloads an ELF file containing a cryptocurrency miner.

It retrieves the payload from:

hxxps://accessor.fud2026.com/libmine-<arch>.so
hxxps://fud2026.com/libmine-<arch>.so

The downloaded file is decrypted using:

CipherInputStream()

The decryption key is generated from the SHA-1 hash of the file name, ensuring each version uses a unique key.

After decryption, the file is renamed:

d-miner

The payload is an ARM-compiled XMRig 6.17.0 miner.

Mining Pool Communication

The miner attempts to connect to:

pool.fud2026[.]com:9000

If that fails, it switches to:

pool-proxy.fud2026[.]com:9000

The XMRig command arguments include:

-o pool.fud2026[.]com:9000 or pool-proxy.fud2026[.]com:9000
-k
--tls
--no-color
--nicehash

C2 Communication

BeatBanker uses Google Firebase Cloud Messaging (FCM) as its command-and-control channel.

Each FCM message triggers checks for:

battery level
battery temperature
installation date
user activity

Based on these checks, the malware starts or stops the crypto miner.

The attacker monitors:

isCharging – whether the phone is charging
batteryLevel – battery percentage
isRecentInstallation – delays actions if newly installed
isUserAway – checks if the user is inactive
overheat – whether the device is overheating
temp – battery temperature

Persistence Mechanism

BeatBanker uses a service called:

KeepAliveServiceMediaPlayback

This service continuously plays a five-second audio file:

output8.mp3

The audio loops indefinitely and contains Chinese words.

Because Android sees active media playback, the system does not terminate the process, allowing the malware to stay active.

Banking Module

BeatBanker installs another malicious APK:

INSS Reebolso
package: com.destination.cosmetics

It maintains persistence by:

displaying a permanent notification
requesting Accessibility permissions

Once granted, the malware gains full control of the device interface.

Cryptocurrency Theft

The banking Trojan monitors the foreground application.

It specifically targets:

Binance (com.binance.dev)
Trust Wallet (com.wallet.crypto.trustapp)

When a user attempts a USDT withdrawal, the Trojan:

Displays a fake overlay screen.
Captures the original withdrawal address and amount.
Replaces the address with the attacker’s wallet using:

AccessibilityNodeInfo.ACTION_SET_TEXT

The victim sees a legitimate interface but unknowingly sends funds to the attacker.

Browser Monitoring

BeatBanker monitors these browsers:

Chrome
Firefox
Samsung Browser
Brave
Opera
DuckDuckGo
Dolphin Browser
Edge

It collects URLs using this regex:

^(?:https?://)?(?:[^:/\\]+\\.)?([^:/\\]+\\.[^:/\\]+)

The malware can also:

add links
edit links
delete links
open attacker-provided links

Command and Control Capabilities

BeatBanker supports many C2 commands, allowing attackers to:

record audio
capture screen content
run a keylogger
send SMS messages
control apps
execute USSD commands
wipe the device
lock the screen
stream the display
perform gesture macros
manage VPN/firewall rules

These commands give the attacker complete control over the infected device.

New Variant: BTMOB RAT

New BeatBanker samples distribute a fake StarLink app.

The infection chain remains similar:

fake apps
looping audio persistence
cryptomining component

However, instead of the banking Trojan, the malware installs BTMOB RAT.

BTMOB RAT Overview

BTMOB is an Android RAT derived from:

CraxsRAT
CypherRAT
SpySolr

It is sold as Malware-as-a-Service (MaaS).

On July 26, 2025, a threat actor using the name “brmobrats” posted a screenshot of BTMOB on GitHub and linked it to:

btmob[.]xyz

The website lists:

RAT features
version history
Telegram contact

A YouTube channel was also created to demonstrate the malware and advertise its sale.

Leaked BTMOB source code has also appeared on dark web forums, suggesting the BeatBanker operators obtained it there.

BTMOB Capabilities

BTMOB provides extensive surveillance and control features, including:

automatic permission granting (Android 13–15)
hidden overlay notifications
silent installation
persistent background operation
screen lock credential capture (PIN, pattern, password)
camera access
keystroke logging
GPS tracking
continuous data collection

These capabilities allow full remote control of infected devices.

Victims

All BeatBanker variants have been detected in Brazil.

Some BTMOB-dropping samples appear to spread through:

WhatsApp
phishing websites

Conclusion

BeatBanker demonstrates how modern Android malware is becoming more complex and multi-layered.

Initially targeting Brazil, the malware combines:

cryptocurrency mining
banking credential theft
crypto transaction manipulation

New versions go even further by deploying the BTMOB RAT.

One of the most unusual persistence techniques is the looping audio trick, which keeps the malware alive by preventing Android from terminating the process.

The malware also focuses heavily on stealth, monitoring device usage, battery status, and temperature while communicating through Google Firebase Cloud Messaging.

Its banking module can overlay Binance and Trust Wallet screens and redirect USDT transactions to attacker wallets without the victim noticing.

How to Protect Yourself

Download apps only from official sources
Use the Google Play Store or your device manufacturer’s official store.
Check app permissions
Be cautious with apps requesting accessibility permissions or the ability to install other packages.
Keep your system updated
Install Android security updates and maintain a reliable mobile security solution.

Detection

Security products detect BeatBanker as:

HEUR:Trojan-Dropper.AndroidOS.BeatBanker
HEUR:Trojan-Dropper.AndroidOS.Banker.*

Indicators of Compromise (IoCs)

Host-based (MD5)

F6C979198809E13859196B135D21E79B – INSS Reebolso
D3005BF1D52B40B0B72B3C3B1773336B – StarLink

Domains

cupomgratisfood[.]shop
fud2026[.]com
accessor.fud2026[.]com
pool.fud2026[.]com
pool-proxy.fud2026[.]com
aptabase.fud2026[.]com
aptabase.khwdji319[.]xyz
btmob[.]xyz
bt-mob[.]net

Researchers Uncover BeatBanker Campaign Targeting Brazilian Users With Crypto Theft and Remote Control Malware