BeatBanker: An Android Trojan that operates in two modes

[fullfitlarry]

Kaspersky recently identified a Android base malware that target Brazil again. The mode of infection is that it spreads thru phishing attacks disguised as a legitimate apps in Google Play Store.

For it's cryptocurrency capability,

• It deploys a banker in addition to a cryptocurrency miner.
• When the user attempts to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.

So it will deploy as a miner and then track and monitor if you will make a USDT transaction and then becoming a copy and paste malware.



So far this is the domain that has been identified.

Code:

cupomgratisfood[.]shop
fud2026[.]com
accessor.fud2026[.]com
pool.fud2026[.]com
pool-proxy.fud2026[.]com
aptabase.fud2026[.]com
aptabase.khwdji319[.]xyz
btmob[.]xyz
bt-mob[.]net

https://securelist.com/beatbanker-miner-and-banker/119121/

So if someone from our Brazilian friends might have been reading this, so just be careful and download only from legitimate source.

[Coloma612]

When the user attempts to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.

The "address replacement" trick is still one of the most effective ways to steal funds because even experienced users sometimes forget to double check every single character after pasting.

It is a good reminder that mobile security is often weaker than desktop. If you are using Trust Wallet or Binance on Android, always verify the address on a second device or at least check the last 5-10 digits before hitting send. Thanks for sharing the domains list.