BeatBanker Android malware hides as a fake Starlink app and can take over phones
5 min. read 
Published on
BeatBanker is a newly documented Android threat that spreads through fake app pages posing as Google Play and, in one recent campaign, masqueraded as a Starlink app. Once installed, it can steal data, mine Monero, and in newer samples, hand full device control to the BTMOB RAT. Kaspersky says the activity it tracked so far targeted users in Brazil.
The immediate takeaway is simple. Do not install APKs from lookalike app store pages. Google says Play Protect checks apps from Google Play and also scans apps from other sources, warning users about harmful software and in some cases blocking or removing it.
What makes this campaign stand out is its mix of old and new Android crimeware tactics. Earlier BeatBanker variants focused on banking theft and crypto transaction tampering. The latest Starlink-themed samples still include mining components, but Kaspersky says they now drop BTMOB RAT instead of the original banking module, giving attackers broader control over infected phones.
What BeatBanker does
| Capability | What researchers found |
|---|---|
| Fake app lure | A fraudulent Starlink app used to deliver the malware |
| Target region | Victims observed in Brazil |
| Theft features | Credential theft and crypto transaction tampering in earlier variants |
| Extra payload | Newer samples deploy BTMOB RAT |
| Device abuse | Monero mining on Android hardware |
| Evasion and persistence | Hidden code loading, delayed actions, fixed notifications, and looped low-volume audio |
Source: Kaspersky Securelist report.
Why this malware is more dangerous than a normal fake app
A lot of Android malware tries to steal one thing, usually banking credentials, SMS messages, or crypto wallet data. BeatBanker goes further. Kaspersky describes it as a dual-mode threat that can both drain device resources through Monero mining and support financial theft. In the newest samples, attackers swap in a remote access tool that expands surveillance and control far beyond banking fraud.
That shift matters because BTMOB RAT is not a minor add-on. Kaspersky says it can help operators gain persistent background access, capture keystrokes, monitor location, access front and rear cameras, record screens in real time, and collect sensitive data continuously. On a compromised device, that turns a fake app infection into a near-total privacy breach.
The campaign also shows how attackers keep adapting to Android defenses. Google said last year that its analysis found more than 50 times more malware from internet-sideloaded sources than from apps on Google Play. Google is now rolling out developer verification requirements for sideloaded apps on certified Android devices in select markets, including Brazil from September 2026.
How the infection works
- The victim lands on a phishing page that imitates Google Play.
- The page pushes a malicious APK disguised as a trusted app, including a fake Starlink app in one campaign.
- The malware checks whether it is running in an analysis environment before fully launching.
- It uses native libraries to decrypt and load hidden code in memory.
- It shows fake update prompts and seeks permissions that let it install or load more payloads.
- Newer samples then deploy BTMOB RAT, while other BeatBanker builds also run a modified XMRig miner.
The odd persistence trick researchers found
One of the strangest details in Kaspersky’s analysis is the malware’s use of an almost inaudible audio loop. The report says BeatBanker continuously plays a short MP3 file to keep its foreground service alive and make Android less likely to suspend the malicious process for inactivity.
That is unusual, but it fits the rest of the malware’s design. BeatBanker appears built to stay quiet, delay obvious malicious actions, and keep running long enough to mine cryptocurrency, monitor device conditions, or wait for remote commands. Kaspersky also says the malware uses Firebase Cloud Messaging, a legitimate Google service, as part of its communications flow. Firebase’s official documentation confirms FCM is a general messaging system for delivering app messages and data payloads, which helps explain why attackers like to abuse it.
What users should do right now
- Install apps only from Google Play or your device maker’s official store.
- Keep Play Protect turned on. Google says it is enabled by default and recommends leaving it on.
- Let Play Protect scan unknown apps from outside Google Play.
- Be suspicious of app pages that mimic Google Play in a browser. Open the real Play Store app instead. This warning follows directly from Kaspersky’s infection chain description and Google’s guidance on harmful apps from other sources.
- Check app permissions closely, especially requests tied to accessibility, installation, overlays, or broad device control. Kaspersky explicitly recommends permission scrutiny for threats like this.
- Update Android and your mobile security software regularly.
Quick comparison
| Question | Answer |
|---|---|
| Is BeatBanker on Google Play? | The reported campaign used fake Play Store pages, not the real store |
| Who was targeted? | Kaspersky observed victims in Brazil |
| What does it steal? | Credentials, crypto-related data, and broad device telemetry |
| What else does it do? | Monero mining and, in newer samples, remote access via BTMOB RAT |
| Why is sideloading risky here? | Google says internet-sideloaded sources produce far more malware than Google Play |
FAQ
BeatBanker is an Android malware family that combines financial theft features with crypto mining, and in newer variants can deploy BTMOB RAT for full remote control.
Kaspersky says one recent campaign delivered the malware through a fraudulent Starlink app on phishing pages that imitated Google Play.
Yes. Kaspersky says the BTMOB payload supports screen recording, keylogging, camera access, GPS tracking, and capture of lock-screen credentials.
The observed victims were in Brazil, but the tactics could spread if attackers see success. That expansion risk is an inference based on the campaign model, while the confirmed victim set in the report is Brazil.
Use the real Google Play Store, keep Play Protect on, avoid browser-based download pages pretending to be app stores, and review permissions before installing anything.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages