BeatBanker A dual‑mode Android Trojan

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://securelist.com/beatbanker-miner-and-banker/119121/
• Blog Title: BeatBanker: A dual‑mode Android Trojan
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting (new subsections on InMemoryDexClassLoader/fileless DEX, native .so staging/JNI loaders, Accessibility abuse for overlay + ACTION_SET_TEXT, and persistence via foreground service/MediaPlayer); optionally cross-link from Reversing/Malware analysis for in-memory DEX extraction with Frida

🎯 Content Summary

Title/Scope
Kaspersky analyzes BeatBanker, a multi-stage Android malware campaign targeting Brazil. It spreads mainly via phishing through a website impersonating the Google Play Store. The chain delivers (a) a packed loader with native ELF staging + in-memory DEX execution, (b) an ARM XMRig 6.17.0 Monero miner, and (c) either a banking Trojan focused on USDT transaction hijacking (older wave) or the BTMOB RAT (newer wave)...

🔧 Technical Details

Native ELF staging to hide the real DEX: Package an Android dropper where a native library (e.g., lib*.so) decrypts an embedded encrypted ELF and writes it as a second-stage loader (l.so). The second stage continues execution via JNI and eventually loads the actual malicious DEX, reducing static visibility of the payload in the original APK.

XOR “stack strings” to conceal Java method targets: Store Java method names as XOR-encrypted stack strings inside the native loader; reconstruct them at runtime to directly invoke Java methods without obvious symbol references, complicating static analysis and string-based detections.

Fileless DEX execution for AV evasion: Use dalvik.system.InMemoryDexClassLoader to load a DEX payload straight from memory so no DEX file is written to the filesystem. During analysis, dynamic instrumentation (e.g., Frida: https://frida.re/) can hook class loading / buffers to recover th...

🤖 Agent Actions

Summary:
Added a new “Android malware tradecraft” section in src/mobile-pentesting/android-app-pentesting/README.md covering native staging + fileless DEX, anti-analysis kill-switch, MediaPlayer foreground-service persistence, Accessibility overlay + ACTION_SET_TEXT hijacking, FCM C2 gating, and filename-derived decryption keys.
Appended the BeatBanker blog to the References section in the same file.

Files modified:

• src/mobile-pentesting/android-app-pentesting/README.md

Tests:

• Not run (docs-only change).

If you want this split into a dedicated page later, I can propose a single-file refactor that preserves the “one file” constraint.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://securelist.com/beatbanker-miner-and-banker/119121/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (new subsections on InMemoryDexClassLoader/fileless DEX, native .so staging/JNI loaders, Accessibility abuse for overlay + ACTION_SET_TEXT, and persistence via foreground service/MediaPlayer); optionally cross-link from Reversing/Malware analysis for in-memory DEX extraction with Frida".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0