BeatBanker: An Android Trojan that operates in two modes

[fullfitlarry]

Kaspersky recently identified a Android base malware that target Brazil again. The mode of infection is that it spreads thru phishing attacks disguised as a legitimate apps in Google Play Store.

For it's cryptocurrency capability,

• It deploys a banker in addition to a cryptocurrency miner.
• When the user attempts to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.

So it will deploy as a miner and then track and monitor if you will make a USDT transaction and then becoming a copy and paste malware.



So far this is the domain that has been identified.

Code:

cupomgratisfood[.]shop
fud2026[.]com
accessor.fud2026[.]com
pool.fud2026[.]com
pool-proxy.fud2026[.]com
aptabase.fud2026[.]com
aptabase.khwdji319[.]xyz
btmob[.]xyz
bt-mob[.]net

https://securelist.com/beatbanker-miner-and-banker/119121/

So if someone from our Brazilian friends might have been reading this, so just be careful and download only from legitimate source.

[Coloma612]

When the user attempts to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.

The "address replacement" trick is still one of the most effective ways to steal funds because even experienced users sometimes forget to double check every single character after pasting.

It is a good reminder that mobile security is often weaker than desktop. If you are using Trust Wallet or Binance on Android, always verify the address on a second device or at least check the last 5-10 digits before hitting send. Thanks for sharing the domains list.

[fullfitlarry]

When the user attempts to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.

The "address replacement" trick is still one of the most effective ways to steal funds because even experienced users sometimes forget to double check every single character after pasting.

It is a good reminder that mobile security is often weaker than desktop. If you are using Trust Wallet or Binance on Android, always verify the address on a second device or at least check the last 5-10 digits before hitting send. Thanks for sharing the domains list.

It is, that's why we really need to be very careful about sending someone our precious Bitcoin by checking the address first.

Or scan our hardware with the latest ant-virus as there could be malware hiding somewhere. Although not all can be tracked by anti-virus, at least this is a good practice. And not putting a lot of crypto in our pc or laptop, maybe just enough for us to used for daily like trading.

Yes, Android is not that good, but still if we practice safe hygiene, we could all be good.

[Siros]

So far this is the domain that has been identified.

Thanks for the warning and the domain list. These phishing attacks disguised as legitimate apps are the biggest threat for mobile wallet users right now. I always tell people that if they are doing large USDT transactions it is better to use a dedicated device or at least a hardware wallet that shows the address on a physical screen. Stay safe out there

[Patikno]

The Beatbanker malware poses numerous Android security threats. It doesn't just steal information from Android devices, but it can also execute commands that harm users.

Some of the most dangerous things I have seen from the source the OP cited: include stealing authentication codes in Google Authenticator, bypassing security, accessing text from the clipboard, changing cryptocurrency addresses (especially USDT) when it detects a transaction, opening links in browsers, stealing information by activating a keylogger, and much more. It is truly terrifying; some of the things I have cited from the source are among the most dangerous. I think there is no way out for a user infected with this malware, except to perform a full wipe, and reset the device to its original factory firmware.

Fortunately, this malware can be avoided because it doesn't operate directly (requires user authorization), which means we must be vigilant in every activity we perform on our devices, and avoid being easily fooled by apps that look like official apps (like Google Play). The source also recommends: always using the official app for the device in question, checking and verifying its authenticity, then recommend to always checking every installed application, especially APKs from third parties or unknown sources (although, I don't recommend anyone using these types of applications).

By the way, I suspect this attack could spread to other countries (not just Brazil), so we need to remember this warning to avoid being fooled by such malware tricks. Essentially, most cyberattacks require our authorization to provide a loophole, so don't carelessly grant any authorization, especially to install applications from unknown sources.

There are so many things that can threaten our devices in this online world. If you are the type of person who likes to surf and experiment with many things, then use a device that doesn't contain important information, or sensitive data (including cryptocurrency assets). Essentially, try to separate important devices from those you can afford to expose to threats. Personally, I have a dedicated device that I frequently use to experiment with various things, including dangerous ones, and I deliberately don't store any important information on it. So, if something happens to my device, I won't lose anything valuable. I hope my advice helps you.

[Mia Chloe]

The Beatbanker malware poses numerous Android security threats. It doesn't just steal information from Android devices, but it can also execute commands that harm users.

Security and privacy is actually becoming more and more difficult every day that passes. We barely have safe routes these days and sadly over 50% of these threats of not more are coming from the internet and you literally can't do almost anything without going online which can complicate things for you.

~snip

Is this only affecting people from Brazil or everyone that falls for it, plus how feasible is the functionality of the malware on bitcoin only wallets I'm asking because you didn't mention any so far.

[DubemIfedigbo001]

• When the user attempts to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.

Maybe, Just maybe those that used the "Withdraw again" features on Binance would be somehow safe from it's manipulations since the app would put in the previously used address automatically for you and I doubt the overlay page would be able to retrieve your withdrawal history from Binance database, so it may only be affecting those who copy and paste addresses in withdrawal pages,. Or maybe when you send to a new address.

If you are still cautious and not do Ctrl+C and Ctrl+V mindlessly but check your addresses carefully with the source, you would notice the disparity between the two addresses soon enough.

[fullfitlarry]

The Beatbanker malware poses numerous Android security threats. It doesn't just steal information from Android devices, but it can also execute commands that harm users.

Security and privacy is actually becoming more and more difficult every day that passes. We barely have safe routes these days and sadly over 50% of these threats of not more are coming from the internet and you literally can't do almost anything without going online which can complicate things for you.

~snip

Is this only affecting people from Brazil or everyone that falls for it, plus how feasible is the functionality of the malware on bitcoin only wallets I'm asking because you didn't mention any so far.

Yes, initially it was affecting Brazilian users. But we all know that this is just the beginning.



From what I observed, usually this is how they will moved, Banking system->cryptocurrency. So they will just evolved and could released the next iteration of this malware that will include everything, from USDT to Bitcoin and any other altcoin addresses and that is very dangerous to all of us.

[Nathrixxx]

We can neglect information source and that is one of the reason why you this forum has been the best platform to discuss about cryptocurrency, not only that, also share more information about what is expected of everyone to know or do to prevent our asset from being taken by others, scam attends like this must be exposed and others have to know what is happening by being informed of their tactics.

[Somegory]

So far this is the domain that has been identified.

Thanks for the warning and the domain list. These phishing attacks disguised as legitimate apps are the biggest threat for mobile wallet users right now. I always tell people that if they are doing large USDT transactions it is better to use a dedicated device or at least a hardware wallet that shows the address on a physical screen. Stay safe out there

With hardware wallet you don't have to copy paste any address, all you have to do is scan the QR code and you will get the correct address which adds more to the security, this is goodbye to fake address and others.

I don't know why people are still using mobile wallets with all the troubles going around android devices this days, too many vulnerability are showing up with android OS and chips, thanks to those detecting them and bring it to light, if not? Millions of people will lose their coin.

Hardware wallets will fix 90% of the problems affecting crypto investors this days, the remaining 10% problem is users keeping their recovery seed safe, in a offline way, the only way they can lose here is exposing the seeds themselves.

[Rikafip]

I don't know why people are still using mobile wallets with all the troubles going around android devices this days

Because some people still need a hot wallet for an easy and convenient access to their crypto.

Trick is not to store large amounts on them, but only a few hundreds of dollars worth of crypto so if something happens, you won't lose much. At least that's what I am doing.