BeatBanker: The Dual-Mode Android Trojan Using Silent Audio to Steal Crypto and Bank Funds Security researchers at Kaspersky have uncovered BeatBanker, a sophisticated Android Trojan targeting users in Brazil through a fake Google Play Store. The malware employs a unique evasion tactic playing an inaudible five-second audio loop to prevent the system from terminating its process, ensuring persistent operation. The attack begins with a counterfeit website (cupomgratisfoodshop), mimicking the official Google Play Store to distribute the INSS Reembolso app. Disguised as a government portal for social security services, the app tricks victims into granting dangerous permissions under the guise of an "update." Once installed, BeatBanker displays a fake system notification to maintain activity while silently running in the background. The Trojan’s primary function is financial theft. When users open cryptocurrency apps like Binance or Trust Wallet, BeatBanker overlays a fake screen, swapping the recipient’s wallet address with the attacker’s during transactions. It also monitors browser activity in Chrome and Edge to harvest login credentials. Recent variants have escalated the threat by deploying BTMOB RAT, a remote access tool that grants attackers full control recording audio, accessing cameras, tracking GPS, and even performing a factory reset to erase evidence. The malware spreads by exploiting accessibility permissions, often under false pretenses. Kaspersky’s findings highlight BeatBanker’s dual-mode capabilities: cryptocurrency mining to drain device resources and direct financial theft through deceptive overlays. The campaign underscores the evolving tactics of mobile malware, particularly in regions with high digital banking adoption.