A sophisticated Brazilian banking trojan uses an innovative method to hide its presence on Android devices.
“PixPirate” is multi-pronged malware specifically built to take advantage of Pix, an app for making bank transfers developed by the Central Bank of Brazil. Pix is a good target for Cybercriminals linked to Brazil since, despite being just 3 years old, it is already integrated into the online platforms of most Brazilian banks and has more than 150 million users according to Statista. It processes around 3 billion transactions in total every month approximately 250 billion dollars value of the Brazilian real.
PixPirate’s powerful new trick, documented in a new post on the IBM blog, it’s the way it cleverly hides its presence on an Android device (no app icon, seemingly no fingerprint whatsoever) despite protections designed by Google’s engineers to prevent that from happening. And experts warn that a similar tactic could be employed by banking malware also targeting the US and EU.
How PixPirate infections work
PixPirate is the cutting-edge successor to the banking Trojans of the past.
It is usually spread via a fake bank authentication app, sent to potential victims via WhatsApp or SMS. Clicking the link downloads a downloader, which then prompts the user to further download an “updated” version of the fake app (which is the PixPirate payload).
“From the victim’s point of view, they are not aware of the PixPirate malware installed by the downloader because in their eyes the downloader is legitimate. So they hardly suspect anything suspicious,” explains Nir Somech, mobile security researcher at IBM Trusteer.
Once conveniently embedded in an Android phone, the malware lies in wait until the user opens an actual banking app. At that point, it goes into action, capturing your typed login credentials and sending them to a command and control (C2) server controlled by the attacker. With account access in hand, it overlays a fake second screen on the user, while they open the underlying banking app, programmatically press the buttons needed to reach their Pix page, then perform an unauthorized transfer.
PixPirate also offers dozens of other features to facilitate this financial fraud, from tracking device location to keylogging, locking and unlocking the screen, accessing contacts and call history, installing and deleting apps, to persistence after reboot and more.
However, its newest and most advanced feature lies in how it hides all evidence of itself from the user.
How PixPirate hides on Android
Traditionally, malicious apps have hidden their presence on compromised devices simply by hiding their home screen icons.
Starting with Android 10, however, this has become impossible. Nowadays, all app icons must be visible, except for system apps or those that do not require permissions from the user.
As every cybersecurity advance before it, this positive change also served as a creative constraint. “It has allowed threat actors to adapt, and that’s what we’re seeing with this new mechanism, where the icon doesn’t need to be hidden because it just doesn’t exist,” Somech says.
By “does not exist” he means that PixPirate has no main activity on the device, not even a launcher. So how do you start an app without a launcher?
The key is that, instead of the payload, the downloader is actually the app running on the device. When desired, it launches the payload by creating and binding to an exported service that can execute it. Then the two continue to communicate and transmit malicious commands.
For persistence, after being triggered for the first time by the downloader, the payload service also binds to other “receivers”, which are triggered when certain other events trigger on the device.
According to IBM Trusteer, this is the first financial malware to use this method to work without the app icon.
Are US Payment Apps Vulnerable?
For anyone concerned that PixPirate could pose a threat to US banks and banking apps, such as Venmo, Zelle, and PayPal, there is both good and bad news.
The good news is that malware is tailor-made. “PixPirate exploits specific features and vulnerabilities within the Pix payment system, which may not directly apply to US payment apps with different architectures and security mechanisms,” explains Sarah Jones, cyber threat intelligence research analyst at Critical Start. “Even if core functionality could be adapted, the malware’s reliance on abusing accessibility services may require changes to align with different accessibility implementations used by US apps.”
However, he warns: “While an exact replication may face obstacles, the underlying techniques used by PixPirate pose concerns for US payment systems. The concept of abusing accessibility services for malicious purposes could inspire attackers to target other vulnerable functionality in US apps.”
“Therefore,” he concludes, “while PixPirate’s direct threat to US payment systems may be limited, its emergence highlights the importance of proactive security measures in safeguarding sensitive financial information.”