PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions

A new Android banking trojan has set its eyes on Brazilian
financial institutions to commit fraud by leveraging the PIX
payments platform.

Italian cybersecurity company Cleafy, which discovered the
malware between the end of 2022 and the beginning of 2023, is
tracking it under the name PixPirate.

“PixPirate belongs to the newest generation of Android banking
trojan, as it can perform ATS^[1]
(Automatic Transfer System^[2]), enabling attackers to
automate the insertion of a malicious money transfer over the
Instant Payment platform Pix, adopted by multiple Brazilian banks,”
researchers Francesco Iubatti and Alessandro Strino said^[3].

It is also the latest addition in a long list of Android banking
malware to abuse the operating system’s accessibility services API
to carry out its nefarious functions, including disabling Google
Play Protect, intercepting SMS messages, preventing uninstallation,
and serving rogue ads via push notifications.

Besides stealing passwords entered by users on banking apps, the
threat actors behind the operation have leveraged code obfuscation
and encryption using a framework known as Auto.js to resist reverse
engineering efforts.

The dropper apps used to deliver PixPirate come under the garb
of authenticator apps. There are no indications that the apps were
published to the official Google Play Store.

The findings come more than a month after ThreatFabric disclosed
details of another malware called BrasDex^[4]
that also comes with ATS capabilities, in addition to abusing PIX
to make fraudulent fund transfers.

“The introduction of ATS capabilities paired with frameworks
that will help the development of mobile applications, using
flexible and more widespread languages (lowering the learning curve
and development time), could lead to more sophisticated malware
that, in the future, could be compared with their workstation
counterparts,” the researchers said.

The development also comes as Cyble shed light on a new Android
remote access trojan codenamed Gigabud RAT targeting users in
Thailand, Peru, and the Philippines since at least July 2022 by
masquerading as bank and government apps.

“The RAT has advanced features such as screen recording and
abusing the accessibility services to steal banking credentials,”
the researchers said^[5], noting its use of
phishing sites as a distribution vector.

The cybersecurity firm further revealed^[6]
that the threat actors behind the InTheBox darknet marketplace^[7] are advertising a
catalog of 1,894 web injects that are compatible with various
Android banking malware such as Alien, Cerberus, ERMAC, Hydra, and
Octo.

The web inject modules, mainly used for harvesting credentials
and sensitive data, are designed to single out banking, mobile
payment services, cryptocurrency exchanges, and mobile e-commerce
applications spanning Asia, Europe, Middle East, and the
Americas.

But in a more concerning twist, fraudulent apps have found a way
to bypass defenses in Apple App Store and Google Play to perpetrate
what’s called a pig butchering scam called CryptoRom^[8].

The technique entails employing social engineering methods such
as approaching victims through dating apps like Tinder to entice
them into downloading fraudulent investment apps with the goal of
stealing their money.

The malicious iOS apps in question are Ace Pro and MBM_BitScan,
both of which have since been removed by Apple. An Android version
of MBM_BitScan has also been taken down by Google.

Cybersecurity firm Sophos, which made the discovery, said the
iOS apps featured a “review evasion technique” that enabled the
malware authors to get past the vetting process.

“Both the apps we found used remote content to provide their
malicious functionality — content that was likely concealed until
after the App Store review was complete,” Sophos researcher
Jagadeesh Chandraiah said^[9].

Pig butchering scams had their beginnings in China and Taiwan,
and has since expanded globally in recent years, with a huge chunk of operations^[10] carried out from
special economic zones in Laos, Myanmar, and Cambodia.

In November 2022, the U.S. Department of Justice (DoJ) announced^[11] the takedown of seven
domain names in connection to a pig butchering cryptocurrency scam
that netted the criminal actors over $10 million from five
victims.