The Android banking malware, PixPirate, is pushing the boundaries of stealth with innovative techniques to evade detection.
IBM Trusteer researchers have uncovered the malware’s sophisticated methods, which significantly threaten financial institutions, particularly in Brazil.
PixPirate, a financial remote access trojan (RAT), employs advanced anti-research tactics to remain undetected.
It operates through two malicious apps—a downloader and a droppee—that work in tandem to execute fraudulent activities without the victim’s knowledge.
Evading Android’s Security Measures
Traditionally, banking malware hides its presence by removing its launcher icon using the SetComponentEnabledSetting API.
However, Android 10’s security enhancements rendered this method obsolete.
PixPirate circumvents these restrictions with a novel approach, effectively disappearing from the victim’s view during reconnaissance and attack phases.
According to the Security intelligence report, PixPirate, a financial malware from Brazil, is currently undetectable by most antivirus software.
PixPirate’s RAT Capabilities
PixPirate leverages the accessibility service to gain RAT capabilities, allowing it to monitor user activities and steal sensitive information such as online banking credentials and credit card details.
It can also manipulate SMS messages to bypass two-factor authentication (2FA) measures.
Key features of PixPirate include:
- Application manipulation and control
- Keylogging
- App inventory collection
- App installation and removal
- Device screen locking and unlocking
- Access to phone accounts and contact lists
- Device location tracking
- Anti-VM and anti-debug features
- Persistence after reboot
- Spreading via WhatsApp
- SMS message manipulation
- Disabling Google Play Protect
These capabilities enable PixPirate to conduct on-device fraud (ODF), executing transactions from the victim’s device to avoid triggering bank security systems.
Shah Sheikh, a cybersecurity professional, recently tweeted about PixPirate, a Brazilian financial malware designed to remain undetected on the victim’s system.
The Infection Flow of PixPirate
Unlike typical financial malware that relies on a single Android Package (APK), PixPirate consists of two components.
The downloader app is not merely a conduit for installing the droppee; it actively participates in executing the malware, maintaining communication, and sending commands.
Victims are typically infected through malicious links sent via WhatsApp or SMS phishing messages.
The downloader masquerades as a legitimate banking app, tricking victims into installing an “update” that is the PixPirate malware.
PixPirate’s Innovative Hiding Technique
PixPirate’s droppee app lacks a primary activity, meaning it has no launcher icon and is invisible on the home screen. The downloader app triggers the droppee, which would otherwise remain dormant.
This technique ensures the malware’s persistence even if the victim removes the downloader.
PixPirate targets the Brazilian instant payment platform Pix, manipulating transactions to redirect funds to fraudsters’ accounts.
The malware waits for the user to open a banking app, then captures login credentials and executes unauthorized transfers.
Automatic and Manual Fraud Execution
PixPirate can perform fraud automatically, with pre-coded activities for each transaction process step.
It also has a manual mode, which allows fraudsters to remotely control the victim’s device and execute transactions in real-time.
PixPirate represents a threat due to its ability to remain hidden and its potential for financial damage.
Users and financial institutions must stay informed about such malware to protect against these evolving threats.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.