BeatBanker: Android Malware Campaign Hijacking Devices via Fake Play Store and Persistent Audio Loops
Executive Summary
A sophisticated Android-based malware campaign targeting users in Brazil has been identified by GReAT (Google Threat Analysis Group), now known as BeatBanker. This dual-mode Trojan employs a deceptive phishing strategy, masquerading as the official Google Play Store to distribute a malicious application named "INSS Reembolso." Upon installation, the malware reveals a multi-layered attack surface, combining a cryptocurrency miner with a banking Trojan capable of full device hijacking and screen spoofing.
What sets BeatBanker apart from standard banking Trojans is its unique persistence mechanism. To ensure it remains active on the victim's device even after the user attempts to force-stop it, BeatBanker plays an almost inaudible audio file on an infinite loop. This behavior, which prevents the application from being terminated by standard UI actions, inspired the malware's name. Furthermore, the threat actors have demonstrated agility, recently switching from a banking module to a known Remote Access Trojan (RAT) named BTMOB. SecLookup’s threat intelligence platform was actively monitoring these domains, detecting and blocking the malicious infrastructure to protect our users.
Threat Analysis
Infection Vector and Social Engineering
The initial phase of the attack is a classic example of spearphishing via a counterfeit website. The attackers registered the domain cupomgratisfood[.]shop, which mimics the visual design of the Google Play Store. This landing page hosts a malicious application titled "INSS Reembolso."
In Brazil, the Instituto Nacional do Seguro Social (INSS) is a critical government service used by millions for social security tasks, including retirement applications and medical exams. By leveraging this high-trust entity, the attackers increase the likelihood of a download. The "INSS Reembolso" app is not a government tool; it is a repackaged APK containing the BeatBanker payload.
Persistence Mechanism: The "Beat" Loop
Most Android applications can be force-stopped by the user if they are identified as malicious. BeatBanker bypasses this standard defense by utilizing a creative persistence technique. The malware continuously plays an almost inaudible audio file in the background.
Because the Android operating system generally does not allow an application to be terminated if it is actively playing audio, this loop acts as a "lock." Even if a user tries to force-stop the app from the settings menu or kill it via a task manager, the audio playback prevents the termination process from completing. This ensures the malware remains resident on the device, allowing it to execute its other malicious components regardless of user intervention.
Dual-Mode Payload: Banker and Miner
Upon successful installation, BeatBanker deploys a dual-mode payload:
Cryptocurrency Miner: The malware utilizes the victim's device resources to mine cryptocurrencies, likely Monero (XMR), generating revenue for the threat actors while draining the device's battery and increasing thermal output.
Banking Trojan: This component is designed to steal financial credentials. It utilizes Overlay Attacks (a specific TTP under MITRE ATT&CK [T1566.004: Spearphishing Link]) to impersonate legitimate banking interfaces.
When a victim attempts to make a transaction involving USDT (Tether), BeatBanker injects a transparent overlay on top of the legitimate Binance or Trust Wallet applications. This overlay replaces the destination wallet address with a controlled address owned by the attacker. The user believes they are sending funds to their own wallet, but the funds are actually routed to the threat actor.
Behavioral Monitoring
To optimize its attack and minimize battery drain, BeatBanker includes a set of heuristics to monitor the device state:
Battery Temperature: The malware checks the device's battery temperature.
Usage Detection: It determines if the user is actively using the device.
Execution Logic: The malware is designed to execute specific banking modules or RAT payloads only when the user is idle, ensuring the attack goes undetected during active use.
Evolution: The Shift to BTMOB RAT
In a concerning evolution of the campaign, Kaspersky researchers noted that newer samples of BeatBanker have dropped the banking Trojan component entirely. Instead, these variants now deploy a known RAT called BTMOB. This switch suggests the threat actors are refining their attack strategy, moving from financial theft (banking) to broader system compromise (RAT), which allows for full remote control of the device, data exfiltration, and potential lateral movement within the user's network.
Indicators of Compromise (IOCs)
SecLookup's threat intelligence platform has identified and flagged the following malicious domains associated with the BeatBanker campaign. These domains are confirmed malicious and are being actively blocked.
cupomgratisfood[.]shop
This is the primary phishing domain used to distribute the "INSS Reembolso" application.
bt-mob[.]net
This domain serves as the infrastructure for the BTMOB RAT component. Below is the detailed detection data from SecLookup:
cupomgratisfood[.]shop
bt-mob[.]net
SecLookup Detection
SecLookup is actively detecting this threat. Our platform identified the malicious domains cupomgratisfood[.]shop and bt-mob.net
Recommendations
To protect against threats like BeatBanker, we recommend the following defensive measures:
Verify App Sources: Only download applications from the official Google Play Store. Be wary of apps offering government services or "reimbursements" that are not officially hosted on the Play Store.
Inspect URLs: Before entering login credentials, verify the URL in the browser bar. Look for subtle misspellings or unusual domain extensions (e.g., using
.shopor.topinstead of.com).Monitor Background Audio: If your device becomes unusually warm or the battery drains rapidly, check for applications playing audio in the background. A persistent audio file playing silently is a strong indicator of the BeatBanker persistence mechanism.
Enable Overlay Prevention: Some modern Android security features allow you to prevent applications from drawing over other apps. Enabling this setting can mitigate the effectiveness of the overlay attacks used to steal wallet addresses.
Use Endpoint Detection and Response (EDR): Ensure your mobile security solution includes behavioral monitoring to detect unusual processes attempting to bypass termination or utilize the device's audio subsystem for persistence.
References
- BeatBanker: A dual‑mode Android Trojan by GReAT, Securelist (Kaspersky GReAT)
