Beware of PixPirate Malware Targeting WhatsApp Users

PixPirate malware is targeting users in Brazil, India, Italy, and Mexico, posing as a fake authentication app to steal banking data.

It spreads through Smishing and WhatsApp spam from infected devices.

All about PixPirate Malware

PixPirate is not on the Google Play Store and uses social engineering to trick users into downloading it.

Once installed, it prompts users to install an “updated version,” which is the full malware.

This tactic lets the malware gain full permissions on the victim’s device, according to Security Intelligence researchers.

PixPirate is a Remote Access Tool (RAT) with various malicious features:

Targets Pix payment services for financial fraud.
Steals user data from infected devices.
Spreads via WhatsApp.
Hides its icon to avoid detection.
Intercepts SMS messages.
Monitors user activity.
Uses anti-detection techniques like VM detection and obfuscation.

If WhatsApp isn’t installed, the malware prompts its installation to spread further.

Once installed, PixPirate can send phishing messages to contacts and groups, read and modify the user’s contact list, create and manage WhatsApp groups, block and unblock accounts, and delete messages to cover its tracks.

This strategy is particularly effective because WhatsApp messages are often seen as more trustworthy than SMS, especially when sent from known contacts. While Brazil remains the primary target, with nearly 70% of infections, India has emerged as the second most affected country, accounting for about 20% of global PixPirate infections.

Although no Indian banks are currently targeted, researchers believe PixPirate developers may be preparing future attacks, potentially targeting the widely used UPI system.

To protect yourself from PixPirate and similar malware: