The immortal Trojan uses the device's built-in functions to automate the theft of funds.
IBM revealed details about the PixPirate Trojan that attacks Android users in Brazil, bypassing security systems on infected devices and stealing financial information.
PixPirate uses a trick to hide the malicious app icon from the home screen of the victim's device, thereby making it invisible to the user during the exploration and attack phase. This technique allows PixPirate to run in the background without arousing the victim's suspicions.
PixPirate is capable of:
PixPirate Infection Chain
PixPirate is distributed via SMS and WhatsApp, using a downloader app to install the main component responsible for financial fraud. Unlike traditional attacks, where the loader is only used for downloading and installing, in the case of PixPirate, it actively participates in fraudulent operations by executing commands and exchanging messages with the main component.
After launching, the APK downloader app prompts the victim to update the app to either get the PixPirate component from the attacker's server, or install the component if it is embedded in the app itself.
In the latest version of the malware, there is no activity that allows you to launch the app from the home screen, which makes it even more hidden. Even if you remove the PixPirate loader from your device, the main component continues to work, thanks to persistence mechanisms activated by various system events.
PixPirate was first documented by Cleafy in February 2023. Then experts noted that PixPirate belongs to the latest generation of banking Trojans for Android, because it can not only disable the protection of Google Play Protect, but also perform the functions of the automatic transfer system (ATS). The option allows attackers to automate the process of malicious money transfers through the Pix instant payment platform, which is actively used by several Brazilian banks.
IBM revealed details about the PixPirate Trojan that attacks Android users in Brazil, bypassing security systems on infected devices and stealing financial information.
PixPirate uses a trick to hide the malicious app icon from the home screen of the victim's device, thereby making it invisible to the user during the exploration and attack phase. This technique allows PixPirate to run in the background without arousing the victim's suspicions.
PixPirate is capable of:
- abuse Android accessibility services to make unauthorized transfers of funds through the PIX instant payment platform;
- steal online banking credentials;
- information about bank cards;
- log keystrokes (keylogging);
- intercept SMS messages to access two-factor authentication codes.
PixPirate Infection Chain
PixPirate is distributed via SMS and WhatsApp, using a downloader app to install the main component responsible for financial fraud. Unlike traditional attacks, where the loader is only used for downloading and installing, in the case of PixPirate, it actively participates in fraudulent operations by executing commands and exchanging messages with the main component.
After launching, the APK downloader app prompts the victim to update the app to either get the PixPirate component from the attacker's server, or install the component if it is embedded in the app itself.
In the latest version of the malware, there is no activity that allows you to launch the app from the home screen, which makes it even more hidden. Even if you remove the PixPirate loader from your device, the main component continues to work, thanks to persistence mechanisms activated by various system events.
PixPirate was first documented by Cleafy in February 2023. Then experts noted that PixPirate belongs to the latest generation of banking Trojans for Android, because it can not only disable the protection of Google Play Protect, but also perform the functions of the automatic transfer system (ATS). The option allows attackers to automate the process of malicious money transfers through the Pix instant payment platform, which is actively used by several Brazilian banks.
