Kaspersky uncovers a new Android malware campaign disguised as Starlink application

"At first we saw BeatBanker being distributed under the guise of a public services app; it installed a banking Trojan in addition to a cryptocurrency miner. However, our recent detection efforts uncovered a new campaign with another BeatBanker variant that deploys the BTMOB RAT instead of the banker module. The attackers appear to be using a fresh lure with the Starlink app to reach more victims from different countries. Therefore, it is important for users to stay vigilant and use advanced solutions to protect their smartphones," comments Fabio Assolini, Head of the Americas & Europe units at Kaspersky GReAT.

Initial vector of infection
Kaspersky experts believe that cybercriminals distribute a fake Starlink application containing the BeatBanker Trojan through phishing pages that mimic the Google Play Store. After execution on a compromised device, the Trojan displays a user interface that also mimics Google Play. Cybercriminals trick victims into granting installation permissions, thus allowing the download of additional hidden malicious payloads.    

Crypto mining and BTMOB RAT module
When a user clicks UPDATE on the fake Google Play page, a Monero cryptocurrency miner deploys. BeatBanker monitors battery percentage and the temperature of an infected smartphone, as well as user activity after which a hidden cryptocurrency miner is started or stopped.

The Android Trojan also installs a BTMOB RAT on the compromised device. BTMOB enables full remote control and is sold as Malware-as-a-Service. It is capable of automatic granting of permissions, hide system notifications and has mechanisms designed to capture screen lock credentials, including PINs, patterns and passwords on compromised devices. The malware also gives cybercriminals access to the front and rear cameras, GPS location monitoring and constant collection of sensitive data.  

To ensure persistence and hinder uninstallation, BeatBanker maintains a fixed notification in the foreground and activates a foreground service with silent media playback. This tactic is designed to prevent the operating system from removing the malicious process.

Kaspersky’s products detect this threat as HEUR:Trojan-Dropper.AndroidOS.BeatBanker and HEUR:Trojan-Dropper.AndroidOS.Banker.*.

See the post on  Securelist for more information.

To stay protected from mobile threats, Kaspersky recommends the following:

• Download apps only from official app stores for smartphones, such as Apple App Store and Google Play, but remember that even downloading apps from official stores is not always risk-free.
• Always check app reviews, only use links from official websites and install reliable security software, like Kaspersky Premium, that can detect and block malicious activity if an app turns out to be fraudulent.
• Check the permissions of apps that you use and think carefully before permitting an app, especially when it comes to high-risk permissions such as Accessibility Services.
• Update your operating system and important apps as updates become available. Many safety issues can be solved by installing updated versions of software.

About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.