BeatBanker Android Trojan with Monero Miner, $333M Crypto ATM Fraud, and TPMS Vehicle Tracking: Weekly Cybersecurity Roundup

The past week brought several major cybersecurity incidents — from a sophisticated new Android trojan combining banking fraud with cryptomining to record-breaking losses from crypto ATM scams. Here's a breakdown of the key developments.

BeatBanker: Banking Trojan Meets Monero Miner with Chinese Audio Trick

Researchers at Kaspersky Lab have identified a new Android malware called BeatBanker. The program combines banking trojan capabilities with a hidden Monero cryptocurrency miner, can steal credentials, and intercept cryptocurrency transactions by swapping wallet addresses.

BeatBanker spreads through fake Google Play Store websites, disguised as financial apps and Starlink software. The APK file uses native libraries to decrypt and load hidden code directly into memory, bypassing standard detection mechanisms.

In some cases, instead of the banking module, the malware installs an Android remote access trojan called BTMOB RAT, giving operators:

• Full device control
• Keylogging and screen recording
• Camera access and GPS tracking
• Credential interception

Before activation, BTMOB RAT checks its environment for analysis tools, then displays a fake Play Store update window to obtain installation permissions. To avoid suspicion, the software deliberately delays malicious operations after installation.

One particularly unusual feature: BeatBanker maintains system activity by continuously playing a nearly inaudible audio recording of Chinese speech from an MP3 file. For covert Monero mining, it uses a modified version of XMRig 6.17.0, dynamically launching based on device load conditions. The campaign primarily targets users in Brazil.

Why This Matters

BeatBanker reflects a growing trend toward multi-purpose threats that combine financial data theft with cryptomining. The transaction-swapping capability directly endangers digital asset holders, while hidden Monero mining increases attacker returns. Meanwhile, record crypto ATM losses highlight the expanding scale of fraud across cryptocurrency infrastructure, and the TPMS vulnerability raises serious privacy concerns about everyday automotive technology.

CertiK Reports $333M in Crypto ATM Fraud Losses

According to CertiK analysts, losses from crypto ATM fraud schemes in the United States reached $333 million in 2025. The number of victim reports received by the FBI increased by 33% year-over-year. The US hosts 78% of all 45,000 crypto terminals worldwide.

CertiK identifies crypto ATM fraud as one of the fastest-growing categories of financial crime in the country. AI-powered social engineering schemes proved 4.5 times more profitable for scammers compared to traditional methods. The analyst firm also noted a shift in perpetrator profiles — fraudsters are increasingly forming structured transnational criminal organizations.

Tire Pressure Sensors Enable Vehicle Surveillance

A research team from Spain, Switzerland, and Luxembourg demonstrated that vehicles can be tracked using Tire Pressure Monitoring Systems (TPMS). The core issue is that TPMS broadcasts data along with a unique identifier in plaintext, and this ID remains unchanged throughout the tire's lifespan. Effectively, each wheel continuously emits a radio signal that can uniquely identify a specific vehicle.

The experiment deployed five receivers costing approximately $100 each. Over ten weeks, these devices intercepted more than 6 million TPMS messages from roughly 20,000 vehicles. Since IDs never changed, researchers successfully matched signals to specific wheels and reconstructed travel routes. All data is transmitted unencrypted — a budget receiver and standard antenna are sufficient for interception, creating potential for large-scale targeted surveillance.

Meta Launches New Anti-Fraud Protection Tools

Meta unveiled a suite of tools to combat fraud across its platforms:

• Facebook warnings when users interact with suspicious accounts
• WhatsApp alerts for dubious requests attempting to link accounts to unfamiliar devices
• Enhanced threat detection in Messenger using AI analysis to identify hacker activity markers in messages

The company also reported blocking over 150,000 accounts linked to scam centers in Southeast Asia. Previously, Meta removed more than 159 million fraudulent advertisements and blocked 10.9 million accounts on Facebook and Instagram connected to organized scam operations.

Other Notable Events This Week

• Address-spoofing attacks on Ethereum surged 600% following the Fusaka upgrade
• A MediaTek chip vulnerability put crypto wallets at risk on a quarter of Android smartphones
• Binance disclosed details of its investigation into transfers to Iran-linked addresses
• US authorities recognized the privacy rights of crypto mixer users
• AI model Claude Opus 4.5 discovered 22 vulnerabilities in Firefox within two weeks