BeatBanker: A dual‑mode Android Trojan

BeatBanker is an Android malware campaign observed in Brazil that uses fake Google Play Store sites to trick victims into installing trojanized apps which then load payloads via an ELF/DEX loader. The threat combines an ARM XMRig cryptominer and a banking Trojan that abuses Accessibility and overlay capabilities to intercept and replace USDT transaction addresses, maintains persistence through near‑inaudible looped audio and foreground notifications, uses Firebase Cloud Messaging for C2, and recent variants deploy the BTMOB RAT; the report provides technical unpacking, a comprehensive command set, IoCs (domains and MD5 hashes), and mitigation advice.