Kaspersky researchers disclosed BeatBanker in March 2026 after uncovering a sustained campaign targeting Android users in Brazil. The disclosure was accompanied by analysis from Fabio Assolini, Head of the Americas and Europe Units at Kaspersky's Global Research and Analysis Team (GReAT), who noted that the campaign's initial lure presented as a simple utility application while concealing a dual-purpose payload. What makes BeatBanker stand out in a crowded field of mobile threats is not any single capability, but the way it stacks multiple revenue streams and attack vectors into one persistent, shape-shifting package. At initial deployment it combines a Monero cryptocurrency miner with a banking trojan module. In its most recent variant it replaces the banking module entirely with BTMOB RAT, a commercially sold Android remote access tool that gives operators complete control of an infected device. The name BeatBanker was chosen by the Kaspersky team because of the trojan's signature persistence trick: it keeps itself alive by silently looping an audio file, exploiting the way Android handles foreground audio services.
The campaign illustrates a maturing trend in mobile malware, where threat actors are no longer content with a single monetization path. Instead, they engineer layered payloads that extract value through cryptomining while simultaneously enabling financial fraud, then pivot to a full-device takeover capability when the operational need arises. The result is a threat that is difficult to detect, difficult to remove, and difficult to attribute to a single criminal motivation.
How the Infection Begins
BeatBanker reaches victims through a counterfeit website — cupomgratisfood[.]shop — designed to look exactly like the Google Play Store. The fake store hosts an app called "INSS Reembolso," which poses as the official mobile portal of Brazil's Instituto Nacional do Seguro Social (INSS), a government service that handles more than 90 social security functions including retirement applications, medical exam scheduling, and payment statement tracking. The impersonation is deliberate: INSS is one of the most widely used government platforms in Brazil, making it a high-value social engineering lure. Other apps listed on the fake store are assessed to be trojans as well, though Kaspersky researchers had not yet obtained samples at the time of disclosure.
A more recent campaign variant leveraged a fraudulent StarLink application distributed through the same counterfeit Play Store infrastructure. The infection chain across both variants is identical. The malicious APK file is packed and uses a native shared library — an ELF file named libludwwiuh.so — to decrypt and load hidden DEX code directly into memory rather than writing it to disk. This in-memory loading technique is a deliberate evasion measure designed to defeat static analysis tools that scan installed files on the device.
Before launching any malicious activity, BeatBanker performs environment checks to confirm it is running on a real device rather than inside an analysis sandbox. These checks include verifying the device's IP address, confirming the device class is a mobile phone, and checking whether the user is connected through a VPN. If any check fails, the malware exits without executing its payload, making dynamic analysis significantly harder for researchers. The VPN check is worth noting: it does not mean a VPN protects users from BeatBanker — it means the malware fingerprints the network context before proceeding, likely to avoid analyst environments and to profile victim connectivity for operational decisions.
Once the environment checks pass, the app displays a fake Google Play Store update screen and uses it to prompt the user into granting permissions for installing additional payloads. This is a well-established social engineering pattern: by mimicking a trusted update interface at the moment of first launch, the malware maximizes the chance the user will approve elevated permissions without suspicion. The dropper then installs a second APK — package name com.destination.cosmetics, labeled "INSS Reebolso" — which serves as the dedicated banking module and also registers for foreground service permissions through pinned notifications. BeatBanker also deliberately delays the start of its malicious operations for a period after installation, further reducing the likelihood that an alert user or a security tool will connect the newly installed app to unusual device behavior.
This delay tactic, combined with the environment check, means BeatBanker is effectively invisible during the period when most users would be most alert — the first few minutes after installing an unfamiliar app. By the time any suspicious behavior surfaces, the malware has already established both its persistence anchor and its C2 channel.
The Audio Loop: A Persistence Trick Built Around Android's Rules
The defining technical characteristic of BeatBanker — and the reason Kaspersky named it as they did — is the way it achieves persistence on Android. The trojan runs a service called KeepAliveServiceMediaPlayback, which continuously loops a short audio file named output8.mp3. The file is approximately five seconds long and contains words spoken in Chinese. The audio is engineered to be nearly inaudible, but its existence is what matters operationally: Android treats an application that is actively playing audio as a foreground process, which the operating system is reluctant to terminate even under memory pressure.
According to Kaspersky Securelist's March 2026 analysis, the operators used a creative persistence mechanism: a continuously looped, nearly silent audio track that prevents Android from shutting down the process due to inactivity.
— Kaspersky Securelist, "BeatBanker: both banker and miner for Android," March 2026
In addition to the audio loop, BeatBanker employs pinned notifications to further anchor its foreground service. Android's notification pinning mechanism is designed to let legitimate apps — navigation tools, music players, fitness trackers — signal to users that they are actively running. BeatBanker abuses this system to prevent the OS from cleaning up the process during memory reclamation cycles. Together, the audio loop and the pinned notification create redundant anchors that make the malware process resilient against both automatic OS management and manual attempts by the user to force-stop background apps.
The Monero Miner: Silent Extraction on Your Hardware
The cryptocurrency mining component of BeatBanker is built around XMRig version 6.17.0, compiled for ARM architecture — the processor type used in virtually all Android smartphones. XMRig is an open-source Monero mining tool that has been repurposed by numerous threat actors precisely because Monero's mining algorithm (RandomX) is CPU-friendly and because Monero's privacy features make it difficult to trace transaction flows back to wallet owners.
BeatBanker downloads the miner dynamically by issuing a GET request to either hxxps://accessor.fud2026.com/libmine-<arch>.so or hxxps://fud2026.com/libmine-<arch>.so. The downloaded file is decrypted using CipherInputStream(), with the decryption key derived from the SHA-1 hash of the file's own name — meaning each architecture variant is encrypted with a unique key, complicating bulk analysis. After decryption, the file is renamed d-miner and executed. The miner attempts a direct TCP connection to pool.fud2026[.]com:9000, falling back automatically to pool-proxy.fud2026[.]com:9000 if the primary pool is unreachable, ensuring mining continuity even if one endpoint goes offline.
What makes this implementation particularly stealthy is the intelligence built around when it mines. BeatBanker uses Firebase Cloud Messaging (FCM) — Google's own legitimate push notification infrastructure — to continuously relay device telemetry back to its operators. The parameters monitored include batteryLevel, isCharging, temperature, and isUserAway. Mining is activated only when the device is plugged in and idle, and it is paused if the device temperature rises to a dangerous level or if the user picks up the phone. By restricting CPU-intensive operations to idle charging windows, the malware avoids the sudden performance drops and heat spikes that would alert a user to something being wrong.
Using Google's Firebase Cloud Messaging as a C2 channel is a calculated evasion choice. Because FCM traffic is encrypted and originates from Google infrastructure, many corporate and consumer firewalls will not flag it as suspicious. Commands arrive via legitimate push notifications, making it much harder for network monitoring tools to distinguish malicious C2 traffic from ordinary app communication.
The Banking Module: Crypto Theft Through Overlay Attacks
Running in parallel with the miner, BeatBanker's original banking module targets cryptocurrency transactions specifically. The trojan monitors running processes on the infected device and watches for two applications in particular: Binance (package name com.binance.dev) and Trust Wallet (package name com.wallet.crypto.trustapp). When the user opens either app and initiates a USDT (Tether) transfer, BeatBanker intercepts the transaction and overlays a spoofed interface on top of the legitimate app screen.
The mechanism for address replacement is more precise than a simple overlay swap. BeatBanker uses the Android Accessibility API action AccessibilityNodeInfo.ACTION_SET_TEXT to directly overwrite the destination wallet address field in the UI of the targeted app. For Binance, the victim sees the copied address still displayed — the substitution happens beneath the visible interface. For Trust Wallet, the app shows a loading spinner during the replacement, briefly concealing the change. Because cryptocurrency transactions are irreversible once confirmed on-chain, there is no recovery path for victims.
The banking module extends beyond crypto apps. It monitors a specific set of browsers installed on the device — including Chrome, Firefox, Brave, Opera, Edge, DuckDuckGo Browser, and Samsung Internet — and harvests URLs the victim visits by matching them against the regular expression ^(?:https?://)?(?:[^:/\\]+\.)?([^:/\\]+\.[^:/\\]+). It also provides operators with management tools for links saved in the device's default browser — including the ability to add, edit, delete, or open links on command. The module receives further instructions from the C2, enabling operators to collect personal information and assert incremental control over the device.
The address-replacement technique does not require the malware to intercept network traffic or break encryption. It operates entirely within the device's own UI layer, using Android's own accessibility framework. No on-chain anomaly is generated until after the transaction is confirmed — at which point the money is already gone. Traditional mobile security tools that focus on network-layer threats or app integrity checks will not catch this attack vector.
BTMOB RAT: The Evolution to Full Device Takeover
Kaspersky's most significant finding is that newer BeatBanker samples have replaced the banking module entirely with BTMOB RAT, a commercially sold Android remote access tool. This shift represents an escalation from targeted financial fraud to comprehensive device compromise.
BTMOB RAT traces its lineage through CraxsRAT, CypherRAT, and SpySolr — a family of Android RATs developed and distributed by a threat actor tracked under the alias EVLF. Cyfirma researchers unmasked EVLF in August 2023 as a Syria-based developer who had been selling malicious tools for approximately eight years, accumulating an estimated $75,000 from lifetime RAT licenses. The CraxsRAT builder alone had been sold to over 100 distinct threat actors before the BTMOB rebranding. Cyble Research and Intelligence Labs first documented BTMOB in February 2025, finding approximately fifteen samples of version 2.5 in circulation since late January of that year. BTMOB has since continued to evolve, with versions progressing from v2.5 to at least v4.0 by late 2025, according to analysts at ANY.RUN. The RAT is sold through a Malware-as-a-Service model, with lifetime licenses carrying a reported price of approximately $5,000 and ongoing support available for a monthly fee. Its marketing infrastructure includes the website btmob[.]xyz, a GitHub account under the username "brmobrats," a Telegram contact channel, and a YouTube channel demonstrating operational use. Leaked BTMOB source code has also appeared on dark web forums, enabling actors without the technical skill to build their own tooling to launch campaigns using full remote access capabilities.
The fact that EVLF's identity was publicly uncovered in 2023 has not halted the BTMOB project's commercial momentum. The MaaS structure insulates the tool's proliferation from any single actor's exposure, because the builder and distribution channels survive the unmasking of the developer. This is a structural problem for defenders: attribution does not equal disruption when the tooling is already widely distributed.
Kaspersky's March 2026 Securelist report describes BTMOB as an Android remote administration tool descended from the CraxsRAT, CypherRAT, and SpySolr families, sold commercially under a Malware-as-a-Service model that provides buyers with complete remote control over infected devices.
— Kaspersky Securelist, "BeatBanker: both banker and miner for Android," March 2026
The capabilities BTMOB RAT delivers to operators are extensive. Once deployed, the RAT provides full device control, keylogging, real-time screen recording, camera access, GPS location tracking, and credential capture. It includes protection mechanisms against the device being restarted, against the app being deleted, and against lock screen resets. Its configuration is stored in obfuscated, XOR-encrypted form — the decryption routine uses repetitive XOR between the encrypted data and a short key, a lightweight but functional approach to making static analysis harder. Despite this obfuscation, Kaspersky researchers were able to identify the configuration parser and confirm the persistence features.
BTMOB includes a specific mechanism for capturing lock screen credentials — PINs, patterns, and passwords — silently and without user interaction. This is distinct from general keylogging. It means a device that appears locked and physically out of reach is not necessarily secure from BTMOB-equipped operators, who can capture the unlock credential and gain full, unobserved access to the device at any subsequent point. Any assumption that "my phone is locked, so it's safe" does not hold against a BTMOB-class infection.
The BTMOB APK that BeatBanker drops is heavily obfuscated and makes use of Android's Accessibility Service to gain broad system permissions. This is the same abuse pattern documented by Morocco's national cybersecurity authority (DGSSI), which issued a national alert about BTMOB in mid-2025 after the RAT began appearing in campaigns targeting Moroccan citizens. Morocco's alert noted that BTMOB exploits accessibility permissions to collect sensitive information displayed on screen, including login credentials, private messages, and banking details, while bypassing Android's standard security mechanisms.
BTMOB RAT's MaaS distribution model means the underlying capability is not limited to the BeatBanker campaign. Any operator who purchases or obtains a BTMOB build can deploy it independently. The leak of BTMOB source code on dark web forums further accelerates its proliferation, enabling actors without the technical skill to build their own tooling to launch campaigns with full remote access capabilities.
Distribution Channels and Geographic Scope
All confirmed BeatBanker infections observed by Kaspersky have been located in Brazil. The primary infection vector is the counterfeit Google Play Store site hosting trojanized APKs. A secondary vector has been identified in some samples: distribution via WhatsApp, which is Brazil's dominant messaging platform. Some variants have also been linked to phishing pages beyond the fake Play Store, indicating the operators are willing to diversify delivery methods when it increases their reach.
The choice of Brazil as the initial target is not arbitrary. Brazil has one of the highest mobile banking adoption rates in the world. By Q1 2025, over 90% of Brazilian adults had adopted Pix, the country's mandatory instant payment system, contributing to a 30% increase in mobile banking app usage year-over-year. Pix processed approximately 64 billion transactions worth $4.6 trillion in 2024 alone — a 53% jump over the prior year — and had recorded over 170 million individual users as of 2025, representing roughly 93% of Brazil's adult population. This concentration of real-money financial activity on mobile devices makes Brazilian smartphone users extraordinarily high-value targets. The INSS lure is particularly effective because INSS handles retirement, disability, and social security services — populations that may include less technically experienced users who are less likely to question a permission request from what appears to be a government app.
The Starlink lure variant exploits a different entry point: curiosity and aspiration. Starlink's satellite internet service has substantial name recognition in Brazil, particularly among users in areas with poor terrestrial connectivity. An app claiming to provide a Starlink portal or management interface is a plausible lure in that context — and the campaign operators appear to have timed this variant to coincide with growing consumer interest in satellite connectivity options.
Kaspersky noted that while all observed infections have been in Brazil, the malware's architecture contains nothing that geographically restricts it. BTMOB RAT itself has already been used in campaigns against Moroccan users — Morocco's national cybersecurity authority (DGSSI) issued a national alert about it after infections targeting Moroccan citizens — and ANY.RUN analysts have documented campaigns in Argentina using fake government tax agency pages. If the BeatBanker campaign proves profitable for its operators, expansion to other Latin American markets with high mobile banking adoption, or to other regions where BTMOB is already circulating, is a reasonable operational evolution.
Where BeatBanker Fits in the Wider Mobile Threat Landscape
BeatBanker did not emerge in a vacuum. Kaspersky's full-year 2025 mobile threat data shows that banking trojan attacks on Android smartphones increased by 56% over 2024, with 255,090 new unique banking trojan installation packages detected — a 271% increase over the prior year. The number of attacks involving mobile bankers grew by 1.5 times over the year. In Q1 2025, Banking Trojans accounted for 27.31% of all detected mobile malware installation packages, ranking first ahead of spy trojans for that quarter. The leading families by volume in 2025 were Mamont, which accounted for approximately 49.8% of all banking trojan packages, and Creduz at 22.5% — context that illustrates how crowded and competitive the mobile banking threat ecosystem has become even without factoring in newer entrants like BeatBanker.
What distinguishes BeatBanker in this environment is its dual-payload design and its operational intelligence. Threats that focus purely on mining sacrifice banking fraud revenue. Threats that focus purely on overlays and credential theft miss the passive income stream that cryptomining provides. BeatBanker's architecture captures both, then pivots to a RAT when operators want to escalate from fraud to full surveillance and control. The MaaS model for BTMOB means the RAT component is maintained and updated by a separate developer entity, allowing BeatBanker's operators to offload the complexity of maintaining a RAT codebase while still benefiting from its capabilities.
The Firebase C2 channel is another design choice that reflects operational maturity. Using Google's own infrastructure as a command channel means the malware does not need to maintain dedicated servers that could be taken down or blocked. It also means that network-level detection — which might flag connections to known malicious IP ranges — is bypassed entirely, since Firebase Cloud Messaging traffic looks indistinguishable from the push notification traffic generated by thousands of legitimate Android applications. This is not a new technique, but BeatBanker's use of FCM for granular device telemetry — tracking battery level, charging state, screen-on status, and temperature in near-real-time to govern mining behavior — shows a level of operational sophistication that goes beyond simply hiding C2 traffic.
Questions the Security Community Should Be Asking
BeatBanker raises several questions that are not fully answered by the Kaspersky disclosure but matter for defenders and for users trying to understand their actual exposure.
Who are the operators, and are they the same as the BTMOB developer? The Kaspersky report is clear that BTMOB is a commercially purchased tool, implying that BeatBanker's operators acquired it rather than built it. This means there are at least two distinct actor groups involved: the BTMOB developer (linked to the EVLF lineage) and the operators running the BeatBanker campaign. This distinction matters because takedown of one does not neutralize the other. The BeatBanker operators can simply purchase or acquire a different RAT if BTMOB becomes unavailable; the BTMOB ecosystem will find new operators to replace BeatBanker if that campaign is disrupted.
Why Chinese speech in an audio file targeting Brazilian users? The persistence audio file output8.mp3 contains words spoken in Chinese, which is incongruous in a campaign targeting Portuguese-speaking Brazilians. The Kaspersky report does not offer an attribution conclusion based on this artifact. Possible explanations include: the file was reused from a prior campaign targeting a different region; it was deliberately chosen to obscure attribution; or it was assembled from a generic toolkit without campaign-specific customization. The Chinese-language audio does not, by itself, indicate Chinese threat actor involvement — but it is an anomaly that warrants attention if further samples surface with similar characteristics.
Is there a connection between BeatBanker and the Keenadu or Triada preinstalled backdoor families? Kaspersky disclosed Keenadu in early 2026 as a firmware-embedded Android backdoor found in devices across Brazil, Russia, Germany, Japan, and other countries. While BeatBanker and Keenadu are documented as separate campaigns, the geographic overlap in Brazil is notable, and the preinstalled backdoor vector presents an even more severe threat model than BeatBanker's phishing-based distribution. Users whose devices carry preinstalled backdoors may be vulnerable to payloads like BTMOB RAT being delivered without any social engineering step at all.
What happens to data harvested through BTMOB after the initial campaign? The pivot from banking module to RAT suggests the operators may be interested in the infected device for reasons beyond a single USDT transaction. A device under full BTMOB control — with keylogging, screen recording, GPS, and camera access — is valuable for purposes well beyond banking fraud: corporate espionage if the victim uses the phone for work, credential harvesting for accounts beyond the targeted crypto apps, extortion using recorded media, or sale of device access to other threat actors. The escalation to RAT deployment suggests BeatBanker's operators are optimizing for the lifetime value of a compromised device, not just a one-time theft.
Key Takeaways
- Dual-payload design maximizes attacker revenue: BeatBanker earns passive cryptocurrency income through Monero mining while simultaneously enabling targeted financial fraud through its banking overlay module. Neither capability degrades the other; they operate concurrently based on device state.
- The audio persistence trick exploits Android's own foreground service rules: By looping a nearly silent audio file, BeatBanker forces Android to treat it as a foreground process the OS will not terminate. This is not a vulnerability — it is an abuse of a legitimate design feature, making it harder to patch at the OS level.
- The banking module uses the Accessibility API to rewrite transaction data in-place: BeatBanker does not intercept network traffic. It uses
AccessibilityNodeInfo.ACTION_SET_TEXTto overwrite wallet address fields directly inside the targeted app's UI, making the fraud invisible to the user and transparent to network monitors alike. - BTMOB RAT integration signals a shift from fraud to surveillance: Replacing the banking module with a full remote access tool gives operators capabilities far beyond financial theft, including real-time screen recording, GPS tracking, keylogging, and camera access. This expansion of capability suggests the operators are either selling access to infected devices or are building toward more targeted surveillance operations.
- Firebase as C2 infrastructure is a significant evasion advancement: Routing command-and-control traffic through Google's legitimate push notification system makes network-level detection extremely difficult. Organizations and individuals cannot block FCM without breaking a large portion of their installed Android apps.
- The MaaS ecosystem accelerates proliferation: BTMOB RAT's commercial availability — with lifetime licenses reportedly priced around $5,000 — and leaked source code mean the capability embedded in BeatBanker's latest variants can be independently deployed by other threat actors, broadening the threat surface beyond any single campaign.
- Attribution does not equal disruption: EVLF's real identity was publicly uncovered in 2023. BTMOB continued to evolve, reaching at least version 4 by late 2025. This illustrates a structural limitation of attribution-focused threat response when the underlying tooling is already widely distributed.
Deeper Defense: What Actually Works
Standard advice to "only install apps from the official Play Store" is necessary but insufficient against a campaign like BeatBanker. Brazil has documented cases of malicious apps appearing even in official stores, and the social engineering vector here — a convincing fake Play Store site distributed via WhatsApp — bypasses the official store entirely. A more useful defense posture requires thinking about multiple layers.
On the permission layer: The single most actionable defense against BeatBanker, BTMOB, and the entire class of Accessibility-abusing Android malware is to treat any Accessibility Service request as a red flag requiring active scrutiny. Android's Accessibility Services were designed to help users with disabilities interact with their devices — they were never intended as a broad system control API for third-party apps. An app claiming to be a government portal, a streaming service, a Starlink manager, or any other utility has no legitimate reason to request Accessibility Services. Refusing this permission alone would break both BeatBanker's banking module and BTMOB's core RAT functionality. Android 13 and later added additional restrictions on granting Accessibility to sideloaded apps — this is one concrete reason to stay on a current Android version.
On the network layer: Because BeatBanker uses Firebase Cloud Messaging for C2, blocking FCM at the network level is not a practical defense for most users. However, enterprise environments with Mobile Device Management (MDM) platforms can deploy behavioral monitoring policies that flag anomalous FCM traffic patterns — for example, apps that have no foreground activity but are receiving high-frequency push updates, or apps that combine persistent foreground services with active network communication to FCM endpoints. Blocking the mining pool domains (pool.fud2026[.]com and pool-proxy.fud2026[.]com) and the BTMOB infrastructure domain (btmob[.]xyz) at the network level is feasible for managed environments and adds a detection layer even if permission-based defenses are bypassed.
On the device behavior layer: The mining component provides behavioral signals that are detectable even without security software. A device that runs significantly hotter than usual, drains its battery faster during charging, and shows abnormal CPU usage from an unfamiliar process during idle periods has the signature of a cryptominer. Android's built-in battery usage settings (Settings > Battery > Battery Usage) will show which apps are consuming excessive CPU. An app listed there that you do not recognize, or that has no business running in the background, warrants immediate investigation. BeatBanker's mining constraints — only mining when charging and idle, pausing when hot or active — are designed to minimize these signals, but prolonged infection will still produce detectable patterns over time.
On the crypto transaction layer: The most direct protection against BeatBanker's wallet address substitution is to always verify the destination address on the confirmation screen character-by-character, ideally using a hardware wallet or a second device to confirm the address independently before approving a transfer. For high-value transactions, consider using apps that display the full destination address prominently on the confirmation screen rather than truncating it. Clipboard-based address injection — where malware replaces copied addresses in the clipboard — is a related and well-documented attack that can be tested by copying a wallet address, then pasting it into a notes app to verify it has not been replaced before proceeding with a transaction.
On the organizational layer: For security teams managing Android device fleets, BeatBanker reinforces the case for deploying Mobile Threat Defense (MTD) solutions that provide behavioral monitoring rather than signature-only detection. MTD products that specifically monitor for Accessibility Service abuse, persistent foreground services with audio playback, and anomalous FCM communication patterns will detect BeatBanker-class threats even before signature updates are published. Integrating the known BeatBanker and BTMOB IOCs — the domains, the mining pool endpoints, the BTMOB C2 infrastructure — into network-level blocklists is a lower-cost first step for organizations that cannot yet deploy full MTD.
Kaspersky's products detect BeatBanker under two signatures: HEUR:Trojan-Dropper.AndroidOS.BeatBanker for the dropper component and HEUR:Trojan-Dropper.AndroidOS.Banker for the banking module variant. If you are running a mobile security product that supports VirusTotal or industry-standard AV databases, searching for these detection strings against a suspicious APK or package name will confirm whether the sample matches known BeatBanker patterns. If your product does not surface these signatures, that is not necessarily a clearance — signature coverage for mobile threats lags considerably behind behavioral detection for threats of this class.
If You Think You're Already Infected
The defense section above addresses prevention, but the article would be incomplete without addressing what to do if you suspect BeatBanker is already on your device. This question is not hypothetical: the malware's delayed activation and behavioral camouflage mean that some users may have been running an infected device for weeks before any signal appears.
Check your Accessibility Services list immediately. Go to Settings > Accessibility > Installed Services (the exact path varies by manufacturer and Android version). Any entry you do not recognize — particularly anything named after a government service, connectivity tool, or system utility that you did not intentionally install — is a red flag. Disabling the permission alone will not remove the malware, but it will break BeatBanker's banking module and BTMOB's core RAT functionality immediately, buying time for a proper remediation. BeatBanker's banking module registers under the package name com.destination.cosmetics, which will appear in your installed apps list under whatever display name the operators chose — the package name is the reliable identifier.
Look for the foreground notification. BeatBanker maintains a pinned notification to anchor its foreground service. Swiping down your notification shade and examining persistent notifications from apps you do not recognize is a fast secondary check. An unfamiliar app with a persistent, undismissable notification and no obvious function is worth investigating.
A factory reset is the reliable remediation path. Because BeatBanker loads its payload entirely in memory and installs a secondary APK with its own permissions, manual removal by uninstalling the original app alone is insufficient — the second-stage payload (com.destination.cosmetics) remains. A full factory reset removes the infection in the large majority of cases. Before resetting, do not create a backup through your device's automatic backup system if you suspect infection — restoring from an infected backup will reintroduce the malware. After resetting, treat all credentials that were stored on or entered into the device as compromised: change passwords for every account accessed on that phone, revoke active sessions, and immediately review any cryptocurrency wallets for unauthorized transactions. For accounts tied to a phone number on the infected device, consider whether SMS-based two-factor authentication codes could have been captured during the infection window.
If BTMOB RAT was deployed, the threat surface is wider than BeatBanker alone. A device that was running BTMOB — with its screen recording, GPS tracking, and lock screen credential capture — should be treated as fully compromised for any account, credential, or data that existed on or passed through that device. This includes corporate email if the device was used for work, any photos or documents stored on the phone, and any accounts accessed during the infection period.
BeatBanker is a clear signal of where mobile malware is heading: toward layered, adaptive payloads that combine passive revenue extraction with active financial fraud and full device compromise, all wrapped in persistence techniques that exploit the legitimate behavior of the operating system itself. The audit trail it leaves — battery drain, unexpected heat, a foreground service playing audio you can barely hear — is subtle enough that many users will never notice. The financial damage it can inflict through a single misdirected USDT transaction is immediate and permanent. For Android users, the strongest single action you can take is simple: treat any Accessibility Services permission prompt from a newly installed app as a non-negotiable refusal. For security teams, the takeaway is harder — when C2 runs over Google's own push notification infrastructure and persistence exploits a legitimate OS feature, the perimeter is already inside the device.
Sources: Kaspersky Securelist — "BeatBanker: both banker and miner for Android" (March 2026, securelist.com); BleepingComputer — "New BeatBanker Android malware poses as Starlink app to hijack devices" (March 2026); Cyble Research and Intelligence Labs — "BTMOB RAT Newly Discovered Android Malware" (February 2025, cyble.com); Cyfirma — "Unmasking EVLF DEV: The Creator of CypherRAT and CraxsRAT" (August 2023); Morocco DGSSI national alert on BTMOB RAT (2025); Kaspersky Securelist — "Mobile threat report for Q1 2025"; Kaspersky Securelist — "The mobile threat landscape in 2025"; Kaspersky press release — "The number of Trojan banker attacks on smartphones increased by 56% in 2025" (March 2026); ANY.RUN Malware Trends — BTMOB RAT analysis; EBANX/Central Bank of Brazil — Pix transaction statistics (2025); PYMNTS Intelligence — "Digital Developments: Charting Digital Payment Growth in Latin America" (2025).