Threat actors behind the PixPirate Android banking trojan are exploiting a new trick to evade detection on compromised devices and collect sensitive information from users in Brazil.
The approach hides the malicious app’s icon from the home screen of the victim’s device, IBM said in a technical report published today.
“Thanks to this new technique, during the reconnaissance and attack phases of PixPirate, the victim remains unaware of the malicious operations this malware performs in the background,” said security researcher Nir Somech.
PixPirate, first documented by Cleafy in February 2023, is known for its abuse of Android accessibility services to secretly perform unauthorized fund transfers using the PIX instant payment platform when a targeted banking app is opened.
The ever-changing malware is also capable of stealing victims’ online banking credentials and credit card information, as well as capturing keystrokes and intercepting SMS messages to access two-factor authentication codes.
Typically delivered via SMS and WhatsApp, the attack flow involves the use of a dropper app (also known as a downloader) designed to deliver the main payload (also known as a droppee) to carry out the financial fraud.
“Usually, the downloader is used to download and install the droppee, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant,” Somech explained.
“In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee, but also for its operation and execution. The downloader plays an active role in the malicious activities of droppees as they communicate with each other and send commands to execute. “
The APK downloader app, once launched, requires the victim to update the app to fetch the PixPirate component from a server controlled by the actor or install it if it is embedded within it.
What has changed in the latest version of the droppee is the absence of activities with the “android.intent.action.Main” action and the “android.intent.category.LAUNCHER” category which allows the user to launch a app from the home screen by tapping its icon.
In other words, the infection chain requires both the downloader and the droppee to work in tandem, with the former responsible for running the PixPirate APK by binding to a service exported by the droppee.
“Later, to maintain persistence, the droppee is also triggered by the different receivers it has registered,” Somech said. “The receivers are set to be triggered based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run.”
“This technique allows the PixPirate droppee to function and hide its existence even if the victim removes the PixPirate downloader from their device.”
The development comes as banks in Latin America (LATAM) have become the target of a new malware called Fakext that uses a rogue Microsoft Edge extension called SATiD to carry out man-in-the-browser and web injection attacks targeting to take possession of the credentials entered. on the target bank’s website.
It is worth noting that SAT ID is a service offered by the Tax Administration Service (SAT) of Mexico to generate and update electronic signatures for online tax filing.
In select cases, Fakext is designed to display an overlay inviting the victim to download a legitimate remote access tool by impersonating the bank’s IT support team, ultimately allowing the threat actors to conduct financial fraud.
The campaign – active since at least November 2023 – identifies 14 banks operating in the region, the majority of which are located in Mexico. The extension has since been removed from the Edge add-ons store.