142/69 Thursday, March 12, 2026
Security researchers from Kaspersky have discovered a new Android malware called BeatBanker, which spreads through websites designed to closely mimic the appearance of the Google Play Store in order to trick users into installing a fake Starlink app. The malware acts as a dangerous “two-in-one” threat, functioning both as a banking trojan that steals passwords and interferes with cryptocurrency transactions, and as a covert cryptocurrency miner that installs software to mine Monero without the victim’s consent. In its latest variant, the malware has also incorporated BTMOB RAT, enabling attackers to fully control the victim’s device remotely-ranging from screen recording and microphone eavesdropping to accessing the camera and GPS location.
One of BeatBanker’s most notable characteristics is its advanced stealth techniques designed to maintain long-term persistence on infected devices. The malware repeatedly plays a nearly inaudible 5-second MP3 audio file, tricking the Android system into believing that the application must continue running in the background, thereby preventing the operating system from terminating the process. Meanwhile, during cryptocurrency mining operations, the malware continuously sends battery status and device temperature data back to a command-and-control (C2) server. If the device is actively being used or the temperature rises too high, the malware temporarily stops mining to avoid noticeable performance degradation or overheating that could alert the user.
Although the current campaign has been primarily observed in Brazil, security experts warn that this type of malware could quickly spread to other regions-ncluding Thailand-if attackers identify effective distribution channels. The best defense for Android users is to avoid installing applications via APK files from untrusted sources, carefully review the permissions requested by apps, and enable Google Play Protect to regularly scan for threats. These precautions are essential to protecting personal data and digital assets from compromise.