The security team at IBM Trusteer realized a warning about a security breach through a piece of malware, PixPirate.
PixPirate is a new and sophisticated Android banking Trojan that has been targeting users in Brazil and other Latin American countries since late 2022. It’s designed to commit fraud against users of the Pix instant payment platform, developed and managed by the Central Bank of Brazil, which enables quick payment and transfer execution across over 100 million registered accounts worldwide.
The malware disguises itself with well-known names and icons to appear as a trusted application to victims. It is usually delivered using a dropper application, which is employed to download and install the banking trojan. Once installed, PixPirate attempts to enable Accessibility Services with persistent fake pop-ups until the victim accepts. These Accessibility Services are then exploited to activate all of PixPirate’s harmful features.
PixPirate uses a combination of tactics to achieve its goals, including:
- Code obfuscation and encryption to thwart reverse engineering efforts.
- A JavaScript module, leveraging Android’s accessibility features, to steal banking passwords. This module is designed to recognize different UI elements of banking apps and capture the password input text displayed on the screen.
- Scripts to delete SMS messages that contain particular text, aiding in hiding fraudulent activities from the victim and analysts conducting incident response.
Moreover, the malware can prevent its uninstallation, disable Google Play Protect, intercept SMS messages and banking credentials, and perform Automated Transfer System (ATS) attacks via Pix payments. It also engages in malvertising by sending push notifications to the victim’s device.
This Android malware represents the latest generation of banking trojans, emphasizing the continuous evolution of cyber threats and the importance of maintaining strong cybersecurity practices, especially for users in the targeted regions.
IBM Trusteer stated that: “Usually, victims get infected with PixPirate by downloading the PixPirate downloader from a malicious link sent to them through WhatsApp or an SMS phishing (smishing) message. This message convinces the victim to download the downloader, which impersonates a legitimate authentication app associated with the bank. Once the victim launches the downloader, it asks the victim to install an updated version of itself, which is, in fact, the actual PixPirate malware.”
Leave a Reply