Researchers have traced an Android banking trojan dubbed “PixBankBot” that accesses and abuses the popular Brazilian instant payment platform Pix.
The Android trojan PixBankBot is built on the ATS framework and uses the Accessibility Service to identify and track User Interface (UI) elements within targeted banking apps, particularly the instant payment platform Pix.
By doing so, PixBankBot can execute fraudulent transactions and capture sensitive information including account balances and money transfer details, found Cyble Research & Intelligence Labs (CRIL) researchers.
“An impressive statistic provided by Banco Central do Brasil reveals that over 138 million users have transacted using Pix as of April 2023; it’s clear that its popularity continues to soar,” said the CRIL report.
“However, as this innovative technology empowers users, it has also captured the attention of Threat Actors (TAs).”
PixBankBot: Pix and the popularity bane
Pix is a fast and convenient instant payment platform developed and overseen by the Central Bank of Brazil (BCB), the country’s monetary authority.
The Central Bank of Brazil internally designed and created the “Pix” brand name and logo in 2020.
Launched in the summer of 2019 and officially operational since November 16, 2020, Pix enables users to swiftly execute various types of payments and transfers.
Brazilian banks utilizing the Pix Instant Payment system are facing an ongoing onslaught from these relentless adversaries, the CRIL research report warned.
In the past six months, Cyble Research & Intelligence Labs (CRIL) has witnessed a surge in Android banking trojans specifically tailored to Brazilian banks.
The cases spotted recently include the Chameleon Android banking trojan, which targeted mobile users to capture SMS messages and maintain persistence, and ‘Zanubis’, which targeted over 40 banking applications from Peru.
These trojans employ the Automated Transfer System (ATS) framework to carry out fraudulent transactions, posing a significant threat to the country’s banking sector.
Among the recent discoveries, PixBankBot has emerged as a new variant that specifically targets online services of Brazilian bank, especially Pix.
PixBankBot: How it works
The PixBankBot malware disguises itself as a PDF application, utilizing the icon and name of a genuine PDF app to deceive victims into installing the malicious software.
Once installed, the malware prompts users to enable the Accessibility Service, which it then abuses for keylogging and executing the ATS framework.
Upon enabling the Accessibility Service, the malware secretly sends basic device information such as device name, Android version, IP address, and region to a Command & Control (C&C) server.
The PixBankBot trojan utilizes the Accessibility Service to identify the package name of the targeted banking application.
If the victim interacts with any of the banking applications listed in the provided table, the malware initiates keylogging and begins executing the ATS.
To further mask its activities, PixBankBot creates a fake window on a genuine banking application, ensuring the victim remains unaware of the malicious actions taking place in the background.
Meanwhile, the malware interacts with the legitimate banking application to carry out automatic fund transfers.
PixBankBot: Cashing in on transfers
Fund transfers are facilitated through Pix keys, which serve as unique identifiers associated with recipients’ bank account information. The malware connects to a Pastebin URL to retrieve the Threat Actors’ (TA’s) Pix key.
Each targeted banking application receives different system-generated unique keys (UUID) encoded in base46, enabling the malware to execute fund transfers.
To insert the fetched Pix key, the malware scans for UI elements containing the word “chave” (which means “key” in Portuguese).
Once located, the malware inserts the Pix key into the corresponding edit text field, obtained from the server.
The specific code demonstrated in the report is designed for the ITAU bank, although the malware scans different UI elements to find the page related to the Pix key in other targeted banking applications.
“Once the malware finishes the money transfer, it sends the transfer amount and the targeted bank name to the C&C server. Then it removes itself from the infected device to avoid being detected,” said the report.
“The TA(s) behind PixBot has skillfully monitored all the UI elements of the targeted banking application to implement an ATS framework and conduct fraudulent transactions on the victim’s device,” it added.
Moreover, the threat actor (TA) has implemented additional measures to uninstall the malicious application from the compromised device in certain situations.
For example, if the account balance dips below R$500.00 or if a money transfer has been executed successfully, the application automatically deletes itself to evade detection and prevent the victim from becoming suspicious.