PixPirate Banking Trojan Targets Android Devices

The PixPirate Android banking trojan's operators have adopted a novel tactic to elude detection on compromised devices and gather sensitive data from users in Brazil. According to IBM's recent technical report, this method involves concealing the malicious app's icon on the victim's device home screen.

Security researcher Nir Somech explained that this approach ensures victims remain unaware of the malicious activities carried out by the malware in the background during reconnaissance and attack phases.

PixPirate, initially identified by Cleafy in February 2023, is notorious for exploiting Android's accessibility services to execute unauthorized fund transfers through the PIX instant payment platform when users access targeted banking apps.

This malware, which constantly mutates, can also pilfer online banking credentials, credit card details, intercept SMS messages, and capture keystrokes for accessing two-factor authentication codes.

PixPirate Spreads Through Texts and Social Apps

The typical distribution method involves SMS and WhatsApp, with a dropper app facilitating the deployment of the main payload for financial fraud. Somech clarified that in the case of PixPirate, the downloader not only installs the payload but also executes it, playing an active role in the malicious activities by communicating with the main payload and executing commands.

The downloader prompts users to update the app, retrieving the PixPirate component from a server controlled by the threat actor or installing it if embedded within itself. Notably, the latest version of the main payload no longer includes activity for launching the app from the home screen by tapping its icon. This means that both the downloader and the main payload must collaborate, with the downloader binding to a service exported by the main payload to execute the PixPirate APK.