A stealer whispers in Chinese, tyre-pressure sensors aid tracking, and other cybersecurity news

This week's cybersecurity: Android malware, crypto-ATM fraud, TPMS tracking, Meta tools.

We compiled the week’s most important cybersecurity news.

Researchers spot a multifunctional stealer with Chinese background audio

Researchers at Kaspersky reported a new Android malware dubbed BeatBanker. It blends features of a banking trojan and a covert Monero miner, can steal credentials and tamper with cryptocurrency transactions.

Attackers distribute the software as financial apps and Starlink tools on spoofed Google Play websites. The APK uses native libraries to decrypt and load hidden code directly into memory to evade detection.

In some cases, instead of the banking module the software installs an Android remote-access trojan called BTMOB RAT. It gives operators full device control, keylogging, screen recording, camera access, GPS tracking and credential interception.

Before execution, it performs environment checks to ensure it is not being analysed. A fake Play Store update prompt then appears to obtain permissions for additional payloads. To avoid arousing suspicion, the software delays activity for a time after installation.

According to the researchers, the malware uses an unusual method to stay active: it continuously plays a nearly inaudible MP3 of spoken Chinese.

BeatBanker can also mine Monero covertly using a modified version of XMRig 6.17.0. It launches dynamically based on system load and conditions monitored by operators to balance performance and stealth.

The trojan’s activity has been observed in campaigns targeting users in Brazil.

CertiK tallies losses from crypto-ATM scams

In 2025, losses from fraud involving crypto ATMs in the United States reached $333 million. Meanwhile, victim reports received by the FBI rose 33% year-on-year, said CertiK analysts.

The US accounts for 78% of the 45,000 terminals worldwide. According to the researchers, crypto-ATM fraud is among the fastest-growing categories of financial crime in the country.

The researchers noted that AI-driven social-engineering schemes in 2025 were 4.5 times more profitable than traditional methods. CertiK also pointed to a shifting fraudster profile: operations are increasingly structured and evolving into transnational criminal organisations.

Tyre-pressure sensors used to track cars

A team of researchers from Spain, Switzerland and Luxembourg demonstrated a method to track vehicle movements using tyre-pressure monitoring systems (TPMS).

The problem, they argue, is that TPMS transmits data and a unique identifier in the clear, and the ID remains unchanged for the tyre’s lifetime. In effect, each wheel constantly broadcasts a radio signal that can uniquely identify the car.

The paper details an experiment deploying five receivers costing about $100 each.

Over ten weeks, the devices captured more than 6 million TPMS messages from roughly 20,000 vehicles. Because the IDs did not change, the researchers matched signals to specific wheels and traced their routes.

They observed that the data are sent unencrypted—interception requires only a budget receiver and a simple antenna. In their view, attackers could scale the system, link identifiers to individuals and conduct targeted surveillance.

Meta announced tools to protect users

Meta introduced a set of tools to protect users, the company said in a press release.

The new measures include:

• warnings in Facebook when users interact with suspicious accounts;
• an alert upon receiving dubious requests in WhatsApp to prevent a scammer from binding an account to their device;
• expanded threat detection in Messenger, offering to analyse recent messages for hacker markers using AI tools.

Meta also reported blocking more than 150,000 accounts linked to scam centres in Southeast Asia.

Earlier, the company removed more than 159 million scam ads for policy violations and blocked 10.9 million Facebook and Instagram accounts tied to scam centres.

Also on ForkLog:

• After Fusaka, the number of address-substitution attacks in Ethereum surged by 600%.
• A MediaTek chip vulnerability put crypto wallets on a quarter of Android smartphones at risk.
• Binance disclosed details of its investigation into transfers to Iran-linked addresses.
• Meta handed over intimate smart-glasses videos to contractors in Kenya.
• US authorities affirmed crypto-mixer users’ right to privacy.
• Claude Opus 4.5 found 22 Firefox vulnerabilities in two weeks.

What to read this weekend?

Graphics cards have become the main compute workhorses for neural networks. As the industry evolves, demand has grown for specialised AI hardware. ForkLog explores the latest phase of the artificial-intelligence arms race.