Endpoint Security , Fraud Management & Cybercrime , Mobile Payments Fraud
'PixPirate' Banking Trojan Targets Brazilian Pix UsersBrazil Weathers Yet Another Malicious App for Stealing Money
An advanced Android banking Trojan is targeting Brazilian adopters of an instant payment platform known as Pix, marking another foray by the South American country's criminal underground into digital larceny.
Researchers at Italian fintech security firm Cleafy say they encountered the Trojan around the start of this year. They call the Trojan "PixPirate" - Pix being the instantaneously successful system for transferring money between bank accounts launched by the Central Bank of Brazil in November 2020. It has since become the most-used payment method in Brazil, Bloomberg has reported, notching 26 billion transactions.
PixPirate belongs to the newest generation of Android banking Trojan, Cleafy says, citing its ability to perform an Automatic Transfer System attack and automate malicious money transfers.
Brazil has a reputation as a hotbed of Trojan activity perpetuated by domestic cybercriminals eager to take advantage of a populace that embraced online banking relatively early and in large numbers. PixPirate is not the first banking Trojan to target Pix users, as researchers from CheckPoint in 2021 uncovered malware they dubbed PixStealer. Trojan developers' tactics over the years have been tenacious as well as imaginative, including a Trojan spotted in 2019 masquerading as fake discount coupons for McDonalds.
PixPirate also poses as a legitimate function, including as a mobile security app. Its usual method of delivery is via a dropper application. During installation, PixPirate immediately goads users into enabling Accessibility Services through repeated pop-up requests. Banking Trojans routinely attempt to gain access to Accessibility Services, an operating system feature designed to allow developers to adapt apps to users with disabilities. Access to it allows hackers free range over the Android system.
Cleafy researchers say PixPirate "seems to be still in the early stages of development," given behaviors such as sending logs to the command-and-control server and comments present in the code.
That means it's possible that even more banking Trojans following the PixPirate example will be coming, they say - Trojans targeted at other Latin American countries "or even moving their eyes toward different regions."