September 21, 2023

A new Android banking Trojan dubbed “PixPirate” has been spotted targeting financial institutions in Brazil since end of year 2022

As per the advisory, PixPirate is new to Android banking trojan, that can perform ATS (automatic transfer system), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks,

The primary goal of this malware was to steal sensitive information and perpetrate fraud attempts on Pix users. PixPirate is usually delivered using a dropper application, used to download and install the banking trojan

Advertisements

The following features have been observed:

  • Preventing uninstall
  • Disabling Google Play Protect
  • Intercepting SMS messages
  • Intercepting banking credentials
  • Monitoring victim’s financial activities
  • Malvertising via push notifications
  • Perform ATS attacks via PIX payments

During its installation, PixPirate immediately tries to enable Accessibility Services that keep being requested persistently with fake pop-ups until the victim accepts. After these permissions are given, the threat actors were observed using PixPirate to write scripts that could interact with the device’s UI and perform actions like entering text, simulating touch events, and scrolling through lists, among others.

The PixPirate code, has few references related to a framework called Auto.js, an open-source tool for automating tasks on Android devices using JavaScript.

The researchers further explained that Auto.js represents a new framework for mobile banking Trojans that allows malicious actors to speed up the development phase via JavaScript automation scripts, web communication management features within the application and built-in code encryption/obfuscation capabilities.

Advertisements

The introduction of ATS capabilities paired with frameworks that will help the development of mobile applications, using flexible and more widespread languages. This could lead to more sophisticated malware that, in the future, could be compared with their workstation counterparts

This research was documented by researchers from Cleafy

Indicators of Compromise

  • cdown883.oss-us-east-1.aliyuncs[.]com
  • 0b7a66004793b4b976be4e5e21ceeb03
  • ccc18f54f77f5b1295f3b4cc3509cb3b
  • https[:]//apendgo[.]com/api/
  • https[:]//applebalanyou.]com/api

Leave a Reply

%d bloggers like this: