Fake Starlink App Spreads Dangerous BeatBanker Android Malware

Cybersecurity researchers have discovered a new Android malware called BeatBanker that can take over infected phones, steal sensitive data, and secretly mine cryptocurrency.

The malware spreads by disguising itself as legitimate apps on websites that imitate the official Google Play Store, tricking users into downloading malicious files.

Researchers say the campaign has mainly targeted Android users in Brazil so far. However, experts warn the technique could easily spread to other countries if it proves successful, as the fake websites and apps are designed to look convincing to everyday users.

Fake apps used to trick victims

BeatBanker is typically distributed through phishing websites designed to look like the Google Play Store. These fake pages promote seemingly legitimate apps, including versions posing as government services or even SpaceX’s Starlink app.

Once installed, the malicious app displays a fake update screen that mimics the Play Store. Victims are prompted to tap an “update” button, which secretly installs additional malicious components in the background while appearing like a normal software update.

Fig 1. The fake Play Store screen that installs BeatBanker. (Source: SecureList)

Malware capable of stealing data and hijacking devices

The malware is designed with several powerful capabilities. Earlier versions included a banking Trojan that could steal credentials and interfere with cryptocurrency transactions by replacing wallet addresses during transfers.

More recent variants instead deploy a remote access tool known as BTMOB RAT. This gives attackers broad control over the infected device, allowing them to record screens, capture keystrokes, access cameras, track location, and collect sensitive data stored on the phone.

Fig 2. BTMOB RAT spying on a phone. (Source: SecureList)

Hidden crypto miner and stealth techniques

BeatBanker also installs a cryptocurrency miner that uses the phone’s processing power to generate Monero for the attackers.

To remain hidden, the malware constantly checks the device’s battery level, temperature, and whether the phone is actively being used. Mining can pause automatically to avoid alerting the user.

The malware also uses an unusual trick to stay active. It continuously plays a nearly silent five-second audio file in the background, preventing the Android system from shutting down the malicious process due to inactivity.

To communicate with attackers, BeatBanker uses Firebase Cloud Messaging, a legitimate Google service. This allows criminals to send commands to infected devices and monitor information such as battery status, charging activity, and device usage.

Security experts say the campaign highlights how mobile threats are becoming more sophisticated and harder to detect. By combining fake apps, remote control tools, and hidden cryptocurrency mining, attackers can maintain long-term access to victims’ phones.

To stay safe, users should only download apps from trusted sources like the official Google Play Store. It is also important to review app permissions carefully and keep Android devices updated with the latest security patches.