A sophisticated Brazilian banking Trojan uses a new method to hide its presence on Android devices.
“PixPirate” is a multifaceted malware specially made to use Pixa, a bank transfer application developed by the Central Bank of Brazil. Pix is a good target for Brazil-nexus cybercriminals since, despite being barely 3 years old, it is already integrated into most online platforms of Brazilian banks and has more than 150 million users according to Statista. It processes somewhere around 3 billion transactions each month, in total about 250 billion dollars worth the Brazilian real.
PixPirate’s latest powerful trick, documented in the new IBM blog post, is how it skillfully hides its presence on an Android device — no app icon, seemingly no footprint — despite the protections Google engineers have designed to prevent this specific thing from happening. And experts warn that similar tactics could be employed by banking malware also targeting the US and EU.
How PixPirate infections work
PixPirate is the ultimate successor to the banking trojans of the past.
It is usually spread through a fake bank authentication app, which is sent to potential victims via WhatsApp or SMS. Clicking on the link downloads the downloader, which then prompts the user to additionally download an “updated” version of the rogue app (which is the PixPirate payload).
“From the victim’s perspective, they are unaware of the PixPirate malware installed by the downloader because in their eyes the downloader is legitimate. So they are unlikely to suspect anything fishy,” explains Nir Somech, mobile security researcher at IBM Trusteer.
Once comfortably embedded in an Android phone, the malware sits and waits until the user opens the right banking app. At that point, it springs into action, taking the login credentials they type and sending them to the Command and Control (C2) server run by the attacker. With account access in hand, it shows the user a fake second screen, while opening the banking app below, programmatically presses the buttons needed to access its Pix page, and then executes the unauthorized transfer.
PixPirate also has dozens of other features to facilitate this financial scam, from pinpointing device location to keylogging, locking and unlocking the screen, accessing contacts and call history, installing and deleting apps, persistence after reboot, and more.
However, its newest, most advanced feature lies in how it hides all evidence of itself from the user.
How PixPirate hides on Android
Traditionally, malicious apps hid their presence on compromised devices by simply hiding home screen icons.
Since Android 10, however, this has become impossible. Nowadays, all app icons must be visible, except for system apps or those that don’t ask for user permissions.
As every advance in cybersecurity before it, this positive change also served as a creative limitation. “It allowed threat actors to adapt, which is what we’re seeing with this new mechanism, where the icon doesn’t need to be hidden because it just doesn’t exist,” Somech says.
By “doesn’t exist,” he means that PixPirate has no main activity on the device — no launcher to begin with. So how do you launch an app without a launcher?
The key is that, rather than a payload, the downloader is actually an application that runs on the device. When it wants to, it runs the payload by creating and binding to an exported service that can run it. Then the two continue to communicate and forward malicious commands.
For persistence, after it is first started by the downloader, the payload service also binds to other “receivers”, which are activated when other events are triggered on the device.
According to IBM Trusteer, this is the first financial malware ever to use this method to operate without an app icon.
Are US payment apps vulnerable?
For anyone worried that PixPirate could pose a threat to US banks and banking apps — such as Venmo, Zelle and PayPal — there is both good news and bad news.
The good news is that the malware is custom made. “PixPirate exploits specific functionality and vulnerabilities within the Pix payment system, which may not directly apply to US payment applications with different architectures and security mechanisms,” explains Sarah Jones, Cyber Threat Intelligence Research Analyst at Critical Start. “Even if core functionality could be adapted, the malware’s reliance on abusing accessibility services could require changes to match the different accessibility implementations used by US applications.”
However, she cautions, “While an exact replica may face obstacles, the underlying techniques used by PixPirate are a concern for US payment systems. The concept of abusing accessibility services for malicious purposes could encourage attackers to target other vulnerable functionality in US applications.”
“Thus,” she concludes, “while PixPirate’s direct threat to US payment systems may be limited, its emergence underscores the importance of proactive security measures in protecting sensitive financial information.”