Kaspersky Global Research and Analysis Team (GReAT) has uncovered a new Android malware campaign in which cybercriminals distributed the BeatBanker Trojan under the guise of the Starlink application for Android.
Threat actors primarily target users from Brazil; nevertheless, Kaspersky experts don’t rule out that users from other countries may also face this threat.
The Trojan employs a Monero cryptocurrency miner and additionally installs a BTMOB remote administration tool (RAT) on the infected devices. To maintain its persistence, BeatBanker uses an uncommon mechanism involving a nearly inaudible looped audio file.
“At first we saw BeatBanker being distributed under the guise of a public services app; it installed a banking Trojan in addition to a cryptocurrency miner,” explains Fabio Assolini, head of the Americas & Europe units at Kaspersky GReAT.
“However, our recent detection efforts uncovered a new campaign with another BeatBanker variant that deploys the BTMOB RAT instead of the banker module. The attackers appear to be using a fresh lure with the Starlink app to reach more victims from different countries. Therefore, it is important for users to stay vigilant and use advanced solutions to protect their smartphones.”
Initial vector of infection
Kaspersky experts believe that cybercriminals distribute a fake Starlink application containing the BeatBanker Trojan through phishing pages that mimic the Google Play Store. After execution on a compromised device, the Trojan displays a user interface that also mimics Google Play. Cybercriminals trick victims into granting installation permissions, thus allowing the download of additional hidden malicious payloads.
Crypto mining and BTMOB RAT module
When a user clicks UPDATE on the fake Google Play page, a Monero cryptocurrency miner deploys. BeatBanker monitors battery percentage and the temperature of an infected smartphone, as well as user activity after which a hidden cryptocurrency miner is started or stopped.
The Android Trojan also installs a BTMOB RAT on the compromised device. BTMOB enables full remote control and is sold as Malware-as-a-Service. It is capable of automatic granting of permissions, hiding system notifications, and has mechanisms designed to capture screen lock credentials including PINs, patterns, and passwords on compromised devices. The malware also gives cybercriminals access to the front and rear cameras, GPS location monitoring, and constant collection of sensitive data.
To ensure persistence and hinder uninstallation, BeatBanker maintains a fixed notification in the foreground and activates a foreground service with silent media playback. This tactic is designed to prevent the operating system from removing the malicious process.
Kaspersky’s products detect this threat as HEUR:Trojan-Dropper.AndroidOS.BeatBanker and HEUR:Trojan-Dropper.AndroidOS.Banker.