π¬ Malware Analysis: BeatBanker Android banker + miner
-
----------------
Malware Analysis: BeatBanker Android banker + minerOverview
BeatBanker is an Android malware family that combines traditional banker functionality with embedded crypto-mining capabilities. Analysis identifies a packed sample with a native loader (l.so) that dynamically loads a DEX component; later samples have been observed dropping a component identified as BTMOB for mining.
Behavior and Components
β’ Loader and packing: The malware uses a native shared object (l.so) acting as a DEX loader and unpacker, enabling dynamic class loading and evasion of static detection.
β’ Banking module: The banking component monitors installed browsers (Chrome, Firefox, sBrowser, Brave, Opera, DuckDuckGo, Dolphin Browser, Edge). It extracts visited domains using the regex ^(?:https?://)?(?:[^:/\\]+\\.)?([^:/\\]+\\.[^:/\\]+) and can manage and open links in the device's default browser.
β’ Crypto mining: Some samples include or drop a miner component (reported as BTMOB), indicating dual-purpose monetization.
β’ Persistence & telemetry: Includes mechanisms for persistence, telemetry exfiltration, and dynamic code loading from C2.C2 Capabilities (selection)
The C2 implements a wide command set allowing full device control and data collection. Examples include dynamic DEX class loading, simulated updates that lock the screen, Google Authenticator monitoring (goauth), toggles for protection bypass, audio recording (srec), clipboard pasting via Accessibility Services (pst), SMS sending (ssms), and full device wipes via Device Administrator (adm<>wip<>).
Additional capabilities include keylogger and virtual keyboard management, overlay-based full-screen locks, screen capture/streaming, macroed taps/swipes, saved-link management, and VPN/firewall control.
Ecosystem and Delivery
Recent detections indicate modular deployment and possible Malware-as-a-Service distribution. The combination of banking-focus functionality and miner payloads suggests flexible monetization strategies. New samples reportedly drop BTMOB, reinforcing the dual-burden design.
Limitations and Open Details
Technical reporting focuses on observed code paths and C2 commands; specific IoCs and attribution are not provided here. The loader-based architecture and heavy reliance on Accessibility and overlay privileges are notable constraints and enablers for the malware's capabilities.
beatbanker #android #malware #btmob #mobilesecurity
Source: https://securelist.com/beatbanker-miner-and-banker/119121/ -
R relay@relay.infosec.exchange shared this topic
