Contents:
Pix is an instant payment platform developed and managed by the Central Bank of Brazil (BCB), which enables quick payment and transfer execution, with over 100 million registered accounts worldwide.
A new strain of mobile malware targeting Brazil and other LATAM nations has just been discovered. The malware is designed to steal sensitive data and commit fraud against Pix platform users. This most recent generation of Android banking trojans, known as PixPirate, discovered by Cleafy between late 2022 and the beginning of 2023, allows attackers to automatically insert a malicious money transfer over the Instant Payment platform.
How PixPirate Works
With well-known names and icons, PixPirate appears to be a trusted application to victims, but actually serves harmful ends.
Researchers discovered the fake samples delivered by TAs by the end of 2022:
According to the report, PixPirate is usually delivered using a dropper application, used to download and install the banking trojan.
During its installation, PixPirate immediately tries to enable Accessibility Services that keep being requested persistently with fake pop-ups until the victim accepts.
Banking trojans commonly take advantage of accessibility features to communicate with other apps. PixPirate activates all of its harmful features once it receives permission from the victim. Additionally, the android banking malware uses the accessibility services API to perform malicious tasks, such as disabling Google Play Protect, intercepting SMS messages, preventing uninstallation, and delivering fake advertisements.
Going for the Banking Passwords
Many Brazilian institutions use the Pix instant payment system. Researchers say the threat actors behind the PixPirate operation have employed code obfuscation and encryption to thwart attempts at reverse engineering the malware.
A PixPirate JavaScript module and Android’s accessibility features are used to steal the banking password. Each targeted bank has different functions within this module because every banking application is different. Through Accessibility Services, PixPirate is able to distinguish between the various UI elements of the bank’s activity and the password input text displayed on the screen.
Moreover, PixPirate includes a script that can be used to delete SMS messages that contain particular text. When the default SMS app is active in the foreground, the malware can long-click, select the delete button, and complete the deletion.
Additionally, threat actors incorporated certificate pinning, which is a popular method for protecting communications from man-in-the-middle attacks.
Despite the fact that PixPirate appears to be in its infancy, researchers believe it is impossible to exclude the possibility that more threats will follow in the future, either targeting other LATAM countries or even shifting the focus to other regions.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.