{"id":25338,"date":"2026-03-11T15:45:04","date_gmt":"2026-03-11T11:45:04","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=25338"},"modified":"2026-03-11T15:45:04","modified_gmt":"2026-03-11T11:45:04","slug":"beatbanker-btmob-android-malware-disguised-starlink-inss-reembolso","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/beatbanker-btmob-android-malware-disguised-starlink-inss-reembolso\/25338\/","title":{"rendered":"Android trojan posing as government services and Starlink apps"},"content":{"rendered":"

To achieve their malign aims, Android malware developers have to address several challenges in a row: trick users to get inside their smartphones, dodge security software, talk victims into granting various system permissions, keep away from built-in battery optimizers that kill resource hogs, and, after all that, make sure their malware actually turns a profit. The creators of the BeatBanker \u2014 an Android\u2011based malware campaign recently discovered by our experts \u2014 have come up with something new for each one of these steps. The attack is (for now) aimed at Brazilian users, but the developers\u2019 ambitions will almost certainly push them toward international expansion, so it\u2019s worth staying on guard and studying the threat actor\u2019s tricks. You can find a full technical analysis of the malware on Securelist<\/a>.<\/p>\n

How BeatBanker infiltrates a smartphone<\/h2>\n

The malware is distributed through specially crafted phishing pages that mimic the Google Play Store. A page that\u2019s easily mistaken for the official app marketplace invites users to download a seemingly useful app. In one campaign, the trojan disguised itself as the Brazilian government services app, INSS Reembolso; in another, it posed as the Starlink app.<\/p>\n

\"The<\/a>

The malicious site cupomgratisfood{.}shop does an excellent job imitating an app store. It\u2019s just unclear why the fake INSS Reembolso appears all of three times. To be extra sure, perhaps?!<\/p><\/div>\n

The installation takes place in several stages to avoid requesting too many permissions at once and to further lull the victim\u2019s vigilance. After the first app is downloaded and launched, it displays an interface that also resembles Google Play and simulates an update for the decoy app \u2014 requesting the user\u2019s permission to install apps, which doesn\u2019t look out-of-the-ordinary in context. If you grant this permission, the malware downloads additional malicious modules to your smartphone.<\/p>\n

\"After<\/a>

After installation, the trojan simulates a decoy app update via Google Play by requesting permission to install applications while downloading additional malicious modules in the process<\/p><\/div>\n

All components of the trojan are encrypted. Before decrypting and proceeding to the next stages of infection, it checks to ensure it\u2019s on a real smartphone and in the target country. BeatBanker immediately terminates its own process if it finds any discrepancies or detects that it\u2019s running in emulated or analysis environments. This complicates dynamic analysis of the malware. Incidentally, the fake update downloader injects modules directly into RAM to avoid creating files on the smartphone that would be visible to security software.<\/p>\n

All these tricks are nothing new and frequently used in complex malware for desktop computers. However, for smartphones, such sophistication is still a rarity, and not every security tool will spot it. Users of Kaspersky products<\/a>\u00a0are protected from this threat.<\/p>\n

Playing audio as a shield<\/h2>\n

Once established on the smartphone, BeatBanker downloads a module for mining Monero cryptocurrency. The authors were very concerned that the smartphone\u2019s aggressive battery optimization systems might shut down the miner, so they came up with a trick: playing an all-but-inaudible sound at all times. Power consumption control systems typically spare apps that are playing audio or video to avoid cutting off background music or podcast players. In this way, the malware can run continuously. Additionally, it displays a persistent notification in the status bar, asking the user to keep the phone on for a system update.<\/p>\n

\"Example<\/a>

Example of a persistent system update notification from another malicious app masquerading as the Starlink app<\/p><\/div>\n

Control via Google<\/h2>\n

To manage the trojan, the authors leverage Google\u2019s legitimate Firebase Cloud Messaging (FCM) \u2014 a system for receiving notifications and sending data from a smartphone. This feature is available to all apps and it\u2019s the most popular method for sending and receiving data. Thanks to FCM, attackers can monitor the device\u2019s status and change its settings as needed.<\/p>\n

Nothing bad happens for a while after the malware is installed: the attackers wait it out. Then they trigger the miner, but they\u2019re careful to throttle it back if the phone overheats, the battery starts dipping, or the owner happens to be using the device. All of this is handled via FCM.<\/p>\n

Theft and espionage<\/h2>\n

In addition to the crypto miner, BeatBanker installs extra modules to spy on the user and rob them at the right moment. The spyware module requests Accessibility Services permission, and if this is granted, begins monitoring everything that\u2019s happening on the smartphone.<\/p>\n

If the owner opens the Binance or Trust Wallet app to send USDT, the malware overlays a fake screen on top of the wallet interface, effectively swapping the recipient\u2019s address for its own. All transfers go to the attackers.<\/p>\n

The trojan features an advanced remote control system and is capable of executing many other commands:<\/p>\n