Kaspersky Global Research and Analysis Team (GReAT) has uncovered a new Android malware campaign in which cybercriminals distributed the BeatBanker Trojan under the guise of the Starlink application for Android. Threat actors primarily target users from Brazil; nevertheless, Kaspersky experts don’t rule out that users from other countries may also face this threat. The Trojan employs a Monero cryptocurrency miner and additionally installs a BTMOB remote administration tool (RAT) on the infected devices. To maintain its persistence, BeatBanker uses an uncommon mechanism involving a nearly inaudible looped audio file.
“At first we saw BeatBanker being distributed under the guise of a public services app; it installed a banking Trojan in addition to a cryptocurrency miner. However, our recent detection efforts uncovered a new campaign with another BeatBanker variant that deploys the BTMOB RAT instead of the banker module. The attackers appear to be using a fresh lure with the Starlink app to reach more victims from different countries. Therefore, it is important for users to stay vigilant and use advanced solutions to protect their smartphones,” comments Fabio Assolini, Head of the Americas & Europe units at Kaspersky GReAT.
Initial vector of infection
Kaspersky experts believe that cybercriminals distribute a fake Starlink application containing the BeatBanker Trojan through phishing pages that mimic the Google Play Store. After execution on a compromised device, the Trojan displays a user interface that also mimics Google Play. Cybercriminals trick victims into granting installation permissions, thus allowing the download of additional hidden malicious payloads.
Crypto mining and BTMOB RAT module
When a user clicks UPDATE on the fake Google Play page, a Monero cryptocurrency miner deploys. BeatBanker monitors battery percentage and the temperature of an infected smartphone, as well as user activity after which a hidden cryptocurrency miner is started or stopped.
The Android Trojan also installs a BTMOB RAT on the compromised device. BTMOB enables full remote control and is sold as Malware-as-a-Service. It is capable of automatic granting of permissions, hide system notifications and has mechanisms designed to capture screen lock credentials, including PINs, patterns and passwords on compromised devices. The malware also gives cybercriminals access to the front and rear cameras, GPS location monitoring and constant collection of sensitive data.
To ensure persistence and hinder uninstallation, BeatBanker maintains a fixed notification in the foreground and activates a foreground service with silent media playback. This tactic is designed to prevent the operating system from removing the malicious process.
Kaspersky’s products detect this threat as HEUR:Trojan-Dropper.AndroidOS.BeatBanker and HEUR:Trojan-Dropper.AndroidOS.Banker.*.
To stay protected from mobile threats, Kaspersky recommends the following:
- Download apps only from official app stores for smartphones, such as Apple App Store and Google Play, but remember that even downloading apps from official stores is not always risk-free.
- Always check app reviews, only use links from official websites and install reliable security software, like Kaspersky Premium, that can detect and block malicious activity if an app turns out to be fraudulent.
- Check the permissions of apps that you use and think carefully before permitting an app, especially when it comes to high-risk permissions such as Accessibility Services.
- Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.
See the post on Securelist for more information.
