BeatBanker Malware Drains Brazilian Phones for Crypto and Creds

A new Android trojan is running a two-pronged attack against Brazilian users: stealing banking credentials while secretly mining cryptocurrency on infected devices. Kaspersky researchers discovered BeatBanker spreading through fake applications that impersonate Starlink's satellite internet app and Brazil's INSS Reembolso government benefits portal.

The malware's dual-purpose design is unusually aggressive. While most mobile trojans focus exclusively on credential theft, BeatBanker monetizes victims twice—once through financial fraud and again through cryptomining that drains device resources and battery life.

How BeatBanker Spreads

Distribution occurs through fraudulent Google Play Store replicas that host convincing imitations of legitimate apps. The fake Starlink app targets users seeking satellite internet service, while the INSS Reembolso impostor preys on Brazilians navigating the country's social security reimbursement system.

A secondary variant called BTMOB spreads through WhatsApp messages and phishing pages, expanding the attack surface beyond app store manipulation. Once installed, both variants request extensive permissions that enable full device compromise.

The choice of lures reflects careful targeting. Starlink launched expanded Brazilian coverage in late 2025, creating demand the malware operators exploited. Meanwhile, INSS Reembolso apps are perennial targets because they attract users conditioned to enter sensitive financial information.

Credential Theft and Transaction Hijacking

BeatBanker intercepts banking credentials through overlay attacks. When victims open legitimate banking apps, the malware displays a pixel-perfect fake login screen that captures entered credentials before passing users through to the real application. Victims often don't notice anything unusual.

The malware also monitors clipboard content for cryptocurrency wallet addresses. When users copy a receiving address for USDT or other tokens, BeatBanker silently replaces it with an attacker-controlled wallet. This clipboard hijacking redirects transactions without visible indication—victims believe they sent funds to the intended recipient until checking blockchain records.

This technique has become standard among financially-motivated Android malware targeting Latin America. The region's rapid cryptocurrency adoption combined with less mature mobile security awareness creates favorable conditions for these attacks.

Covert Cryptocurrency Mining

While stealing credentials provides direct financial returns, BeatBanker also mines Monero in the background. The malware intelligently monitors device conditions to avoid detection:

• Mining pauses when battery temperature rises too high
• Activity reduces when battery level drops below thresholds
• Mining intensity decreases during active user sessions

This adaptive approach extends the infection's lifespan. Users may notice degraded battery life and device performance but are unlikely to attribute these symptoms to malware without investigation.

To maintain continuous operation, BeatBanker exploits Android's media playback system. The malware "continuously plays a nearly inaudible audio file so that the Android system does not terminate the application," according to Kaspersky's analysis. This clever abuse of audio session management keeps the process alive even when minimized.

The BTMOB Remote Access Component

Alongside the primary BeatBanker payload, researchers identified a remote access trojan component designated BTMOB. This secondary payload provides attackers with:

• Real-time camera and microphone access
• Keystroke logging across all applications
• GPS location tracking
• Arbitrary file exfiltration

The combination of credential stealing, cryptomining, and full remote access represents a comprehensive mobile compromise toolkit. Attackers can monetize victims through multiple channels while maintaining persistent surveillance capabilities.

Attribution Remains Unclear

Kaspersky noted that audio files embedded in the malware contain Chinese words, but stopped short of attributing the campaign to Chinese threat actors. The observation could indicate development origins, acquired code, or deliberate misdirection.

What's clear is the operational focus on Brazil. All confirmed infections occurred within the country, and the social engineering lures exclusively target Brazilian services and institutions. Whether the operators are domestic or international, they've invested significant effort in localization.

Defending Against Mobile Banking Trojans

Android users in Brazil should take immediate precautions:

1. Download apps only from the official Google Play Store—never from third-party sites
2. Verify publisher information before installing apps claiming government or popular brand affiliation
3. Review app permissions and deny access that seems excessive for stated functionality
4. Monitor device battery usage for apps consuming unexpected resources
5. Use banking apps' built-in security features including transaction verification

For organizations with employees in affected regions, mobile device management policies should restrict sideloading and enforce app vetting. Banking credentials entered on potentially compromised devices should be treated as exposed.

This campaign adds to a growing body of mobile threats targeting Brazil's financial ecosystem. The combination of rapid digital payment adoption and expanding infostealer activity makes the region a proving ground for mobile malware innovation. Mobile credential theft doesn't stay contained—stolen data often surfaces in underground marketplaces, as demonstrated by the Match Group breach that exposed millions of dating app users.