Endpoint Security , Fraud Management & Cybercrime , Mobile Payments Fraud

'PixPirate' Banking Trojan Targets Brazilian Pix Users

Brazil Weathers Yet Another Malicious App for Stealing Money
'PixPirate' Banking Trojan Targets Brazilian Pix Users
Image: Shutterstock

An advanced Android banking Trojan is targeting Brazilian adopters of an instant payment platform known as Pix, marking another foray by the South American country's criminal underground into digital larceny.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Researchers at Italian fintech security firm Cleafy say they encountered the Trojan around the start of this year. They call the Trojan "PixPirate" - Pix being the instantaneously successful system for transferring money between bank accounts launched by the Central Bank of Brazil in November 2020. It has since become the most-used payment method in Brazil, Bloomberg has reported, notching 26 billion transactions.

PixPirate belongs to the newest generation of Android banking Trojan, Cleafy says, citing its ability to perform an Automatic Transfer System attack and automate malicious money transfers.

Brazil has a reputation as a hotbed of Trojan activity perpetuated by domestic cybercriminals eager to take advantage of a populace that embraced online banking relatively early and in large numbers. PixPirate is not the first banking Trojan to target Pix users, as researchers from CheckPoint in 2021 uncovered malware they dubbed PixStealer. Trojan developers' tactics over the years have been tenacious as well as imaginative, including a Trojan spotted in 2019 masquerading as fake discount coupons for McDonalds.

PixPirate also poses as a legitimate function, including as a mobile security app. Its usual method of delivery is via a dropper application. During installation, PixPirate immediately goads users into enabling Accessibility Services through repeated pop-up requests. Banking Trojans routinely attempt to gain access to Accessibility Services, an operating system feature designed to allow developers to adapt apps to users with disabilities. Access to it allows hackers free range over the Android system.

PixPirate uses an element of Accessibility Services to identify bank account passwords and uses a different JavaScript module for each targeted bank, since each banking app has a different layout.

Cleafy researchers say PixPirate "seems to be still in the early stages of development," given behaviors such as sending logs to the command-and-control server and comments present in the code.

That means it's possible that even more banking Trojans following the PixPirate example will be coming, they say - Trojans targeted at other Latin American countries "or even moving their eyes toward different regions."


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.