A new Android banking trojan, PixPirate, has reportedly been targeting Brazilian financial institutions commonly spread through leveraging the PIX instant payment system. This malware is among the newest generation of malicious strains that set eyes on banking platforms in the Android OS.
Experts reveal that the PixPirate banking trojan is equipped with numerous attack capabilities, such as an Automatic Transfer System (ATS), which allows hackers to automate transferring of malicious funds over the PIX payment system.
Many Brazilian banks have adopted the PIX payment system, thus exposing them to threats of the PixPirate banking trojan.
One of the many features of this new banking trojan is its capability to abuse Android OS’s accessibility services API. The trojan abuses the API to perform many malicious activities, such as disabling Google Play Protect, spying on text messages and calls, taking screenshots, preventing uninstallation, and forcing rogue ads in the infected device through push notifications.
Usually disguised as authenticator apps, the malware can steal credentials from banking applications. It can also leverage code obfuscation and encryption via the Auto[.]js framework to resist reverse engineering from cybersecurity tools and analysts once inside an infected device.
In related news, dark web actors who administer an underground marketplace called ‘InTheBox’ were seen offering thousands of web inject modules for popular Android banking malware strains, including Alien, Cerberus, Hydra, and Octo.
These web-injects are vital components of malware payloads in harvesting data from numerous financial-related apps, such as banking, payment systems, cryptocurrency exchange, and e-commerce apps from all across the world.
The discovery of the PixPirate came a month after security researchers also found another banking trojan called ‘BrasDex’ being propagated in the wild. Like PixPirate, BrasDex also has ATS capabilities, which aids it in successfully conducting fraudulent fund transfers using the Brazilian PIX payment system.
On the other hand, a new Android remote access trojan, GigaBud RAT, was also seen targeting victims from the Philippines, Peru, and Thailand since July last year. Some of this RAT’s features include screen recording and abusing Android’s accessibility services API also to steal users’ banking credentials.
