The Silent Rhythm: How BeatBanker Malware Uses a Looping Audio File to Hijack Android Devices
Ddos 
In a sophisticated new campaign targeting users in Brazil, researchers at Kaspersky Labs have uncovered BeatBanker, an Android-based malware that blends the lines between a discreet cryptocurrency miner and a high-impact banking Trojan. Spread primarily through phishing sites disguised as the official Google Play Store, this malware is designed for one thing: total device control.
What sets BeatBanker apart is its “creative” approach to staying alive on a victim’s handset. To ensure the operating system doesn’t terminate its malicious processes, the Trojan “plays an almost inaudible audio file on a loop so it cannot be terminated”. This rhythmic persistence mechanism is what inspired the researchers to give the malware its name.
BeatBanker is obsessed with remaining hidden while it drains a victim’s resources. The malware constantly monitors the device’s state—checking battery temperature, percentage, and whether the user is currently active—to time its most intrusive actions.
To gain initial trust, it frequently “disguises itself as a legitimate application on the Google Play Store and as the Play Store itself”. Once established, the malware operates a dual-threat campaign:
- Cryptocurrency Mining: It acts as a Monero miner, “discreetly draining your device’s battery life” while generating revenue for the attackers.
- Banking Hijacking: The banking module is capable of “overlaying Binance and Trust Wallet screens” to intercept transactions. When a user attempts a USDT transfer, BeatBanker “covertly replaces the destination address with the threat actor’s transfer address” before the victim can notice.
Kaspersky researchers observed that in more recent iterations of the campaign, the attackers have pivoted, substituting the banking module for a full-fledged BTMOB RAT (Remote Access Trojan).
This transition significantly upgrades the attackers’ capabilities, allowing for even deeper exploitation of the infected device. Some of these new variants appear to be spreading through social engineering on WhatsApp in addition to traditional phishing pages.
BeatBanker is a prime example of how mobile threats are becoming increasingly multi-layered. As the researchers conclude: “Initially focused in Brazil, this Trojan operates a dual campaign, acting as a Monero cryptocurrency miner… while also stealing banking credentials and tampering with cryptocurrency transactions.”
Users are urged to avoid third-party app stores and be wary of “system updates” delivered via SMS or WhatsApp.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
