BeatBanker: The Dual-Mode Android Trojan Using Silent Audio to Steal Crypto and Bank Funds
Security researchers at Kaspersky have uncovered BeatBanker, a sophisticated Android Trojan targeting users in Brazil through a fake Google Play Store. The malware employs a unique evasion tactic playing an inaudible five-second audio loop to prevent the system from terminating its process, ensuring persistent operation.
The attack begins with a counterfeit website (cupomgratisfoodshop), mimicking the official Google Play Store to distribute the INSS Reembolso app. Disguised as a government portal for social security services, the app tricks victims into granting dangerous permissions under the guise of an "update." Once installed, BeatBanker displays a fake system notification to maintain activity while silently running in the background.
The Trojan’s primary function is financial theft. When users open cryptocurrency apps like Binance or Trust Wallet, BeatBanker overlays a fake screen, swapping the recipient’s wallet address with the attacker’s during transactions. It also monitors browser activity in Chrome and Edge to harvest login credentials.
Recent variants have escalated the threat by deploying BTMOB RAT, a remote access tool that grants attackers full control recording audio, accessing cameras, tracking GPS, and even performing a factory reset to erase evidence. The malware spreads by exploiting accessibility permissions, often under false pretenses.
Kaspersky’s findings highlight BeatBanker’s dual-mode capabilities: cryptocurrency mining to drain device resources and direct financial theft through deceptive overlays. The campaign underscores the evolving tactics of mobile malware, particularly in regions with high digital banking adoption.
Source: https://hackread.com/beatbanker-android-trojan-silent-audio-loop-crypto/
Binance Brasil cybersecurity rating report: https://www.rankiteo.com/company/binancebrasil
INSS cybersecurity rating report: https://www.rankiteo.com/company/inss
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "BININSGOO1773253647",
"linkid": "binancebrasil, inss, google",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Financial Services, Cryptocurrency',
'location': 'Brazil',
'name': 'General Android users in Brazil',
'type': 'Individuals'},
{'industry': 'Cryptocurrency',
'location': 'Global',
'name': 'Binance',
'type': 'Cryptocurrency Exchange'},
{'industry': 'Cryptocurrency',
'location': 'Global',
'name': 'Trust Wallet',
'type': 'Cryptocurrency Wallet'}],
'attack_vector': 'Malicious app distributed via fake website',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Login credentials',
'Wallet addresses',
'Personally identifiable '
'information']},
'description': 'Security researchers at Kaspersky have uncovered '
'*BeatBanker*, a sophisticated Android Trojan targeting users '
'in Brazil through a fake Google Play Store. The malware '
'employs a unique evasion tactic playing an inaudible '
'five-second audio loop to prevent the system from terminating '
'its process, ensuring persistent operation. The attack begins '
'with a counterfeit website (*cupomgratisfoodshop*), mimicking '
'the official Google Play Store to distribute the *INSS '
'Reembolso* app. Disguised as a government portal for social '
'security services, the app tricks victims into granting '
"dangerous permissions under the guise of an 'update.' Once "
'installed, BeatBanker displays a fake system notification to '
'maintain activity while silently running in the background. '
'The Trojan’s primary function is financial theft. When users '
'open cryptocurrency apps like Binance or Trust Wallet, '
'BeatBanker overlays a fake screen, swapping the recipient’s '
'wallet address with the attacker’s during transactions. It '
'also monitors browser activity in Chrome and Edge to harvest '
'login credentials. Recent variants have escalated the threat '
'by deploying *BTMOB RAT*, a remote access tool that grants '
'attackers full control recording audio, accessing cameras, '
'tracking GPS, and even performing a factory reset to erase '
'evidence. The malware spreads by exploiting accessibility '
'permissions, often under false pretenses. Kaspersky’s '
'findings highlight BeatBanker’s dual-mode capabilities: '
'cryptocurrency mining to drain device resources and direct '
'financial theft through deceptive overlays.',
'impact': {'data_compromised': 'Login credentials, wallet addresses, '
'personally identifiable information',
'financial_loss': 'Crypto and bank funds theft',
'identity_theft_risk': 'High',
'operational_impact': 'Device resource drainage, unauthorized '
'remote access',
'payment_information_risk': 'High',
'systems_affected': 'Android devices'},
'initial_access_broker': {'backdoors_established': 'BTMOB RAT',
'entry_point': 'Fake Google Play Store website '
'(*cupomgratisfoodshop*)',
'high_value_targets': 'Cryptocurrency and banking '
'app users'},
'lessons_learned': 'Evolving tactics of mobile malware, particularly in '
'regions with high digital banking adoption; importance of '
'verifying app sources and permissions.',
'motivation': 'Financial theft',
'post_incident_analysis': {'corrective_actions': 'Enhanced user education on '
'app permissions, stricter '
'app store vetting, and '
'improved detection of fake '
'overlays.',
'root_causes': 'Exploitation of accessibility '
'permissions, fake overlays, and '
'social engineering to trick users '
'into granting permissions.'},
'recommendations': 'Avoid downloading apps from unofficial sources, '
'scrutinize app permissions, use multi-factor '
'authentication, and monitor device performance for '
'unusual activity.',
'references': [{'source': 'Kaspersky'}],
'response': {'third_party_assistance': 'Kaspersky'},
'title': 'BeatBanker: The Dual-Mode Android Trojan Using Silent Audio to '
'Steal Crypto and Bank Funds',
'type': 'Trojan',
'vulnerability_exploited': 'Exploitation of accessibility permissions, fake '
'overlays'}