PixPirate, an Android banking malware

PixPirate, an Android banking malware, is pioneering stealth techniques to evade detection. IBM Trusteer researchers have unveiled its sophisticated methods, posing significant threats to financial institutions, especially in Brazil.

What is PixPirate?

PixPirate is a type of Android banking malware designed to steal sensitive financial information from users. It typically targets Android devices and employs various techniques to evade detection, allowing it to operate stealthily on infected devices. PixPirate is known for its sophisticated methods and poses a significant threat to financial institutions, particularly in regions like Brazil.

In the past, banking malware typically concealed itself by removing its launcher icon using the SetComponentEnabledSetting API.

However, Android 10’s security enhancements made this method ineffective. PixPirate has devised a new tactic to overcome these obstacles, allowing it to vanish from the victim’s view during both reconnaissance and attack phases. As reported by Security intelligence, PixPirate, originating from Brazil, currently remains undetectable by most antivirus software.

PixPirate exploits the accessibility service to acquire remote access trojan (RAT) capabilities, enabling it to monitor user activities and pilfer sensitive information like online banking credentials and credit card details.

Additionally, it can tamper with SMS messages to circumvent two-factor authentication (2FA) measures.

Key features of PixPirate include:

Application manipulation and control
Keylogging
App inventory collection
App installation and removal
Device screen locking and unlocking
Access to phone accounts and contact lists
Device location tracking
Anti-VM and anti-debug features
Persistence after reboot
Spreading via WhatsApp
SMS message manipulation
Disabling Google Play Protect

With these capabilities, PixPirate can engage in on-device fraud (ODF), carrying out transactions from the victim’s device to evade detection by bank security systems.

Recently, cybersecurity professional Shah Sheikh tweeted about PixPirate, highlighting its characteristics as a Brazilian financial malware crafted to evade detection on the victim’s system.

The Infection Flow of PixPirate

Unlike typical financial malware that relies on a single Android Package (APK), PixPirate comprises two components. The downloader app isn’t just a conduit for installing the droppee; it actively participates in executing the malware, maintaining communication, and sending commands.

Victims are typically infected through malicious links sent via WhatsApp or SMS phishing messages. The downloader disguises itself as a legitimate banking app, deceiving victims into installing an “update” that is, in fact, the PixPirate malware.

PixPirate’s droppee app lacks a primary activity, making it devoid of a launcher icon and invisible on the home screen. The downloader app initiates the droppee, which would otherwise remain dormant. This technique guarantees the malware’s persistence even if the victim removes the downloader.

It targets the Brazilian instant payment platform Pix, redirecting funds to fraudsters’ accounts by manipulating transactions.

The malware captures login credentials when the user opens a banking app and executes unauthorized transfers.

Users and financial institutions must stay vigilant and informed about such malware to safeguard against these evolving threats.