BeatBanker: both banker and miner for Android
Essential information
- Published
- 10/03/2026 12:26
- Modified
- 10/03/2026 13:02
- Tags
- 2026-03-10 android banking trojan beatbanker brazil btmob cryptocurrency overlay persistence phishing rat
- Related entities
- 5 observables, 2 malware, 10 others
Description
BeatBanker is a sophisticated Android malware campaign targeting Brazil. It spreads through phishing attacks using a fake Google Play Store website. The malware combines a cryptocurrency miner and a banking Trojan capable of hijacking devices and overlaying screens. It employs creative persistence mechanisms, including playing an inaudible audio loop. BeatBanker monitors device status, disguises itself as legitimate apps, and targets cryptocurrency transactions on Binance and Trust Wallet. Recent variants have replaced the banking module with the BTMOB remote administration tool, expanding its capabilities. The threat demonstrates advanced evasion techniques, uses Firebase Cloud Messaging for command and control, and targets multiple browsers for data collection. Victims are primarily located in Brazil, with some samples spreading via WhatsApp.