Cybersecurity researchers have uncovered a malicious Android campaign in which hackers distribute a fake Starlink application that secretly mines cryptocurrency and steals sensitive information from infected devices.
The attack highlights a growing trend in which cybercriminals disguise malware as popular apps or services to trick users into installing malicious software.
BeatBanker malware combines crypto mining and banking attacks
Kaspersky researchers identified the malware as part of the BeatBanker Android malware campaign, which combines both a cryptocurrency miner and banking Trojan capabilities.
Kaspersky warns that BeatBanker is “an Android-based malware campaign” that spreads through phishing sites designed to mimic legitimate app stores. The software package contains multiple modules, including a cryptocurrency miner and a banking Trojan capable of hijacking the device and spoofing screens.
PCMag reported that the malware is designed to gain deep control of the victim’s phone. The Trojan can monitor device activity, collect system information, and download additional malicious components.
In many cases, the fake application is distributed through websites disguised as legitimate software marketplaces, tricking victims into downloading what seems to be an authentic app update.
Malware secretly downloads mining software
After the user installs the fake app and interacts with it, the malware downloads a hidden payload that starts cryptocurrency mining operations.
Kaspersky researchers explained that when a victim clicks an “update” prompt in the malicious interface, the malware retrieves a mining program from a remote server and executes it on the device. The program uses an ARM-compiled XMRig mining binary, which connects to cryptocurrency mining pools controlled by attackers.
The hidden miner quietly consumes the phone’s computing resources while running in the background. Such attacks are often referred to as cryptojacking, where hackers exploit victims’ hardware to generate digital currency without their knowledge.
Cryptojacking can significantly affect device performance. Cryptocurrency mining requires heavy computational workloads, so infected devices may experience battery drain, overheating, and slower performance.
Trojan can hijack financial transactions
In addition to mining cryptocurrency, the malware includes a banking component capable of stealing funds from cryptocurrency wallets.
BeatBanker can display overlay screens on cryptocurrency applications such as Binance and Trust Wallet, allowing attackers to manipulate transactions. When a victim attempts to transfer digital currency, the malware replaces the destination wallet address with one controlled by the attackers.
This technique enables hackers to redirect cryptocurrency transfers without the victim immediately noticing the change.
The malware uses several techniques to ensure it remains active on the infected phone. Researchers noted that the Trojan uses a persistence mechanism that plays a nearly inaudible audio file in a loop, preventing the Android operating system from shutting down the malicious process.
Malware communicates with attackers through messaging service
The malware communicates with attackers using Firebase Cloud Messaging, a legitimate notification service provided by Google. Using this system, the attackers can send commands to infected devices and control when the mining operation starts or stops.
The malware collects telemetry data from the device, including battery status and system information, which is sent back to the attackers’ servers.
Researchers say the malware’s ability to hide its activity and dynamically download new components makes it particularly dangerous.
Growing threat of mobile cryptojacking
Mobile cryptojacking attacks have become more common as smartphones grow more powerful. Security researchers warn that cybercriminals increasingly target Android devices because the operating system allows apps to be installed from third-party sources outside official stores.
Once infected, victims may not immediately notice the attack, as the mining software runs quietly in the background.
Cybersecurity experts recommend that users only install applications from trusted marketplaces such as Google Play and avoid downloading apps from unknown websites.
They also advise paying attention to unusual device behavior such as overheating, rapid battery drain, or sudden slowdowns, which may indicate hidden malware activity.
The discovery of the fake Starlink app campaign underscores how cybercriminals continue to exploit trusted brands and emerging technologies to distribute malicious software.
