Starlink Impersonator: The New BeatBanker Android Malware Threat

A newly discovered Android malware known as BeatBanker has the ability to take control of devices and deceives users by disguising itself as a Starlink app on fake websites posing as the official Google Play Store.

This malicious software combines traditional banking trojan features with Monero mining capabilities, allowing it to steal sensitive information like credentials and manipulate cryptocurrency transactions.

Researchers at Kaspersky identified BeatBanker in campaigns targeting individuals in Brazil. They also found that the latest version of the malware incorporates the BTMOB RAT, an Android remote access trojan, instead of the banking module.

BTMOB RAT gives cybercriminals complete control over a device, enabling keylogging, screen recording, camera access, GPS tracking, and the ability to capture credentials.

Persistence Through Unconventional Means

BeatBanker is distributed as an APK file that utilizes native libraries to decrypt and load hidden DEX code directly into a device’s memory, ensuring evasion of detection.

Prior to activation, the malware conducts checks to verify that it is not under analysis. If successful, it presents users with a fake Play Store update screen, tricking them into granting permissions for the installation of additional payloads.

To avoid raising any red flags, BeatBanker delays its malicious activities for a period after installation.

Kaspersky reports that the malware employs a unique method to maintain persistence by continuously playing an almost inaudible 5-second recording of Chinese speech from an MP3 file named output8.mp3.

“The KeepAliveServiceMediaPlayback component ensures continuous operation by initiating uninterrupted playback via MediaPlayer,” Kaspersky explains in a recent report.

“It keeps the service active in the foreground using a notification and loads a small, continuous audio file. This constant activity prevents the system from suspending or terminating the process due to inactivity.”

Stealthy Cryptocurrency Mining

BeatBanker leverages a modified version of the XMRig miner (version 6.17.0) compiled for ARM devices to mine Monero on Android devices. XMRig connects to mining pools controlled by the attackers through encrypted TLS connections, and switches to a proxy if the primary connection fails.

The mining operation can be started or stopped dynamically based on device conditions, which are closely monitored by the operators to ensure optimal performance and maintain stealth.

Using Firebase Cloud Messaging (FCM), the malware continuously sends data about the device’s battery level, temperature, charging status, usage activity, and heat status to the command-and-control (C2) server.

By halting mining activities when the device is in use and limiting its impact on the device, the malware can remain undetected for an extended period, mining cryptocurrency opportunistically.

While all reported BeatBanker infections have been in Brazil, the potential for this malware to spread to other regions remains a concern. Therefore, it is crucial for users to exercise caution and maintain good security practices.

Android users are advised to refrain from installing APKs from sources outside the official Google Play store unless they trust the source, review permissions granted to apps, and regularly scan their devices using Play Protect.

Malware tactics are evolving. The Red Report 2026 highlights how new threats utilize advanced techniques to evade detection and remain hidden.

Discover insights from analyzing 1.1 million malicious samples, uncover the top 10 techniques, and assess the effectiveness of your security measures.

Download The Report

See also  Locked Out: The Nevada Government's Battle Against Ransomware