BeatBanker Malware Targets Crypto Wallets With Audio-Based Persistence

The BeatBanker malware campaign has been found recently. It uses a unique method to stay on Android devices. This malware mostly affects people in Brazil.

It steals banking information, takes over cryptocurrency transactions, and runs a crypto miner in the background. BeatBanker is especially worrisome because it uses an audio loop to hide from detection, which keeps it active on the infected device for a long time. The First Stage of Infection and Social Engineering A social engineering trick is how the BeatBanker attack starts. Attackers make a fake website that looks a lot like the Google Play Store.

They trick the victim into downloading a bad app that looks like INSS Reembolso, a trusted Brazilian government app.

The fake app asks users for permission to install, which makes them download the malware without knowing it. The bad APK has a shared library (libludwwiuh.so) that decrypts another ELF file and then loads the DEX file. This method lets the malware run without being saved on the file system, which makes it hard for regular antivirus software to find.

SecureList says that the malware uses a Java Native Interface (JNI) to keep running, which lets it get around mobile security products. Targets of BeatBanker Crypto Wallets (Source: securelist) Once executed, the malware displays a Google Play Store-like interface, tricking the victim into thinking the INSS Reembolso app needs an update. The user is led to click on an “Update” button, which then silently downloads the cryptocurrency miner payload.

This payload is an XMRig miner that connects to a mining pool to mine Monero cryptocurrency. It uses up the victim's device's resources and battery. BeatBanker Goals Securelist: Crypto Wallets Audio Loop for Persistence The malware uses a new way to stay on the computer: it plays an audio file that is almost inaudible over and over again.

The operating system can't stop the bad process because the device thinks it's playing media. This method makes sure that the malware stays active on the victim's device even when the system isn't doing anything. The audio file is only five seconds long. It contains Chinese words, making it difficult to detect through normal user behavior.

BeatBanker Goals Securelist says that crypto wallets are To keep BeatBanker and other threats like it from happening, it is very important to: Only get apps from sources you trust: Use only the official Google Play Store and check the developer's credentials. Check the app's permissions: Be careful of apps that ask for a lot of permissions, especially those that have to do with accessibility and installing third-party APKs. Update your devices and apps often.

Security updates fix known problems and keep your devices safe. This sophisticated malware campaign is an example of how attackers are constantly innovating their techniques, using new tools and strategies to evade detection. Organizations and Securelist individuals must stay vigilant and implement robust security measures to protect sensitive financial and personal data from these evolving threats.