PixPirate: Android Banking Trojan Targeting Brazilian Financial Institutions

PixPirate is targeting more than 100 million Brazilian Pix instant payment accounts. Pix Payment is used in Latin America for instant payments. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate.

⚠️ Cleafy TIR team tracked a new Android banking trojan that actively targets Brazilian citizens. Since the lack of information and the absence of a proper nomenclature of this malware family, we decided to dub it #PixPirate, and start tracking this family. pic.twitter.com/tiEM46P6ZX

— Cleafy LABS (@cleafylabs) February 3, 2023

How does it work?

PixPirate is a known malware strain that has been reported to be active in Brazil. The malware is primarily spread through phishing emails that contain malicious attachments. Once the malware is executed on a victim’s device, it can steal sensitive information such as login credentials, financial information, and other personal data.

Moreover, PixPirate is also adaptable to steal credentials and launch ATS (automatic transfer system) attacks across multiple bank user interfaces using the Pix platform.

The malware also can intercept and delete SMS messages, push malvertising efforts, and contains code protection that attempts to evade detection.

PixPirate is usually delivered using a dropper application, used to download (or in some cases just to unpack) and install the banking trojan. During its installation, PixPirate immediately tries to enable Accessibility Services that keep being requested persistently with fake pop-ups until the victim accepts.

Abusing accessibility services is how banking trojans work.  They provide features to interact with other apps. After the victim gives the permissions, PixPirate will enable all its malicious functionalities. 

Cleafy team reviews: “PixPirate represents one of the emerging malware that will try and leverage the double edge blade mechanism related to instant payments.”

“The introduction of ATS capabilities paired with frameworks that will help the development of mobile applications, using flexible and more widespread languages (lowering the learning curve and development time), could lead to more sophisticated malware that, in the future, could be compared with their workstation counterparts.”

Concluding Thoughts

Banking trojans and malware will evolve with time. The best way to cater to cyber security threats is through prevention. This includes being cautious of suspicious emails and attachments, keeping software systems up to date, using strong and unique passwords, and regularly backing up data. The use of anti-virus programs can also help in keeping up with cyber security.