Find notable cyber news and cases, enriched with sources, timelines, and signals.

BeatBanker Android malware activity

Malware Activity
First reported
Last updated
Happening score
H score 26
2 unique sources, 2 articles

Summary

Hide ▲

The BeatBanker Android malware is actively hijacking devices by posing as a Starlink app, creating risk of credential theft, illicit mining, and remote device control. It combines banking trojan behavior with Monero mining and can also deploy BTMOB RAT for full access. Observed infections were concentrated in Brazil, and the newest variant can replace the banking module with a remote-access payload.

Related Happenings

RedWing Android spyware rented through Telegram

Malware Activity
H score21 First: 08.07.2026 18:30 Last: 08.07.2026 18:30 Sources 1

About this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...

RedWing Android bank-fraud malware rental service

Malware Activity
H score21 First: 07.07.2026 20:10 Last: 07.07.2026 20:10 Sources 1

About this happening: The **RedWing** Android malware service is being rented on **Telegram** to steal **banking logins**, **OTPs**, and device control, raising fraud risk for **banking and cryptocurre...

Rokarolla Android banking trojan activity

Malware Activity
H score26 First: 16.06.2026 16:15 Last: 16.06.2026 16:15 Sources 1

About this happening: The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...

NFCShare Android malware spreads via fake banking-app updates

Malware Activity
H score21 First: 09.06.2026 01:11 Last: 09.06.2026 01:11 Sources 1

About this happening: The **NFCShare Android malware** is being spread as **fake banking-app updates on GitHub**, broadening attacks against **customers of multiple banks and financial institutions acr...

BTMOB Android MaaS platform expands low-code phishing payload production

Threat Actor Meta
H score21 First: 29.05.2026 00:10 Last: 29.05.2026 00:10 Sources 1

About this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...

Timeline

  1. 10.03.2026 23:27 2 articles · 4mo ago

    BeatBanker Android malware disclosure and campaign details

    Initial Disclosure

    Kaspersky disclosed BeatBanker as a new Android malware campaign targeting users in Brazil that poses as a Starlink app on fake Google Play Store websites to hijack devices, steal credentials, tamper with cryptocurrency transactions, and mine Monero. The newest variant replaces the banking module with BTMOB RAT, while the malware also uses APK delivery, hidden DEX loading, delayed malicious operations, and continuous playback of output8.mp3 to keep a foreground service active.

    Show sources