A shocking new report claims the latest malware targeting Android devices hides dangerous apps from view, meaning users can’t know they’ve been attacked until it’s too late…
A new serious warning has been issued for Android users
“Malware always tries to stay hidden,” warns this week’s alarming new Android malware report, “making itself invisible so victims can’t detect it.” And while this type of attack was more common before Google improved restrictions with Android 10, this latest threat found “a new technique to hide its icon that we’ve never seen used by financial malware before.”
And so it begins. Here’s the latest attack vector targeting Android devices—including high-end, thousand-dollar-plus phones from Samsung, Google and others, which are now taking on Apple’s iPhone by touting their devices as secure alternatives.
This particular malware, called PixPirate and first spotted by Cleafy earlier this year, has now been further analyzed by IBM’s research team. Their report details insidious tactics that ensure “the victim remains unaware of the malicious operations this malware performs in the background.”
It was called PixPirate because this first attack targeted the hugely popular Pix payment platform—with some 140 million users—in Brazil, a market where Samsung is by far the leading brand. But again, there’s no reason the attack couldn’t be modified to target other platforms in other countries.
The malware monitors user activity with online banking in mind, finding opportunities to steal login credentials for various accounts and even intercept two-factor SMS authentication codes. “PixPirate is a sophisticated remote financial access Trojan,” explains IBM, “which makes extensive use of anti-research techniques.” This involves a dropper that installs the malware core and then runs it, negating the need for it to appear in the device’s own launcher.
IBM’s report lists the various actions this “dropper and droppee” combination can perform on an infected device. It’s both an impressive list and a wake-up call to just how dangerous this type of malware can be, due to the sheer extent of the compromises that can be made in the background.
- Manipulating and managing other applications
- Keylogging
- Collecting a list of applications installed on the device
- Installing and removing applications from an infected device
- Lock and unlock the device screen
- Access to registered phone accounts
- Access to the list of contacts and calls in progress
- Accurate determination of device location
- Anti-virtual machine (VM) and anti-debug capabilities
- Persistence after reboot
- Spreading via WhatsApp
- Reading, editing and deleting SMS messages
- Anti-removal and disabling of Google Play Protect
Google has said that none of these malicious programs are currently present in its official Play Store, which is why Apple has so publicly warned that Europe forcing it to open third-party stores “brings greater risks to users and developers. This includes new avenues for malware, scams and fraud, illegal and harmful content, and other threats to privacy and security. These changes also threaten Apple’s ability to detect, prevent, and take action against malicious apps on iOS, and to support users affected by issues with apps downloaded outside the App Store.”
This last point is crucial, because combined with new techniques that are effective until Android 14 and beyond, this warning will apply to owners of Samsung’s premium devices as well as Google’s Pixel devices, which are supposed to offer better levels of protection than the more cost-effective Android devices, especially those that work outside the Play ecosystem.
As with many such attacks, it starts with a link shared via SMS or WhatsApp, essentially using social engineering to trick users into agreeing to the installation. This brings the dropper to the device, which then downloads, installs and runs the underlying APK of the malware itself.
As more and more of our online credentials become synonymous with our personal smartphones, the benefit of taking general control over so many device functions is that malware will fool the various identity assurance checks that take place, coming from a trusted device.
Details on how to delete malicious apps can be found here.
As for PixPirate specifically, there is no suggestion yet that this attack has been exported more widely, so you can only prevent infections by following the usual golden rules:
- Stick to official app stores—don’t use third-party stores, and never change your device’s security settings to allow an app to load.
- Check out the developer in the app description—is this someone you’d like in your life? And check the reviews, do they look legit or farmed?
- Don’t give permissions to an app it doesn’t need: flashlights and stargazing apps don’t need access to your contacts and phone. Never grant accessibility permissions that facilitate device control unless you have to.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores for installations and updates.
- Don’t install apps that link to established apps like WhatsApp unless you know for sure they’re legit—check reviews and online records.
But where there is one, there are usually more. And so a good tip is to run security software to scan your device and delete any such third-party installations, especially if you’ve clicked on a text link.
In response to this research, a Google spokesperson told me that “based on our current detections, no apps containing this malware have been found on Google Play. Android users are automatically protected against known versions of this malware using Google Play Protect, which turned on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
Google also convinced me that Play Protect would protects users from this latest malware when enabled, despite a report suggesting this may not be the case.
While this latest attack clearly targets all types of Android devices, Samsung is the only real challenger to Apple’s iPhone when it comes to the premium market, with these heightened expectations for device security and integrity.
Between them, Samsung and (mostly) Apple fill all ten spots in the latest global smartphone sales rankings, and will face AI in devices later this year, with Samsung echoing some of Apple’s focus on devices. But Samsung’s biggest challenge is Google and the limitations Android places on its ability to operate autonomously. This type of security warning reflects that perfectly.
However, Google continues to bring Android closer to the iPhone in terms of the level of security built into the OS. But as long as reports like this keep popping up, there will be a perception that Android is intrinsically less secure than the iPhone, which is a big risk for those spending $1,000 to $2,000 on a phone. There is still some serious work to be done…