The latest version of the PixPirate banking trojan for Android employs a new method to hide on phones while remaining active, even if its dropper app has been removed.
PixPirate is a new Android malware first documented by the Cleafy TIR team last month seen targeting Latin American banks.
Though Cleafy noted that a separate downloader app launches the malware, the report didn't delve into its innovative hiding or persistence mechanisms, or these were introduced only recently.
A new report by IBM explains that contrary to the standard tactic of malware attempting to hide its icon, which is possible on Android versions up to 9, PixPirate does not use a launcher icon.
This enables the malware to remain hidden on all recent Android releases up to version 14.
Not using an icon at all creates the practical problem of not giving the victim a way to launch the malware.
IBM Trusteer researchers explain that the new PixPirate versions utilize two different apps that work together to steal information from devices.
The first app is known as a 'downloader' and is distributed through APKs that are spread via phishing messages sent on WhatsApp or SMS. This downloader app requests access to risky permissions upon installation, including Accessibility Services, and then proceeds to download and install the second app, which is the encrypted PixPirate banking malware.
Instead, the droppee app exports a service that other apps can connect to, which the downloader connects to when it wants to trigger the launch of the PixPirate malware.
Apart from the dropper app that can launch and control the malware, these triggers could be device boot, connectivity changes, or other system events that PixPirate listens for, allowing it to execute in the background.
Even if the victim removes the downloader app from the device, PixPirate can continue to launch based on different device events and hide its existence from the user.
The malware targets the Brazilian instant payment platform Pix, attempting to divert funds to attackers by intercepting or initiating fraudulent transactions.
PixPirate's RAT capabilities allow it to automate the entire fraud process, from capturing user credentials and two-factor authentication codes to executing unauthorized Pix money transfers, all in the background without users' knowledge.
Accessibility Service permissions are required for this.
Cleafy's report from last month also highlighted the use of push notification malvertising and the malware's capability to disable Google Play Protect, one of Android's core security features.
Though PixPirate's infection method isn't novel and can be easily remediated by avoiding APK downloads, not using an icon and registering services bound to system events is an alarming new strategy.
Anatsa Android malware downloaded 150,000 times via Google Play.
New 'Gold Pickaxe' Android, iOS malware steals your face for fraud.
Microsoft is killing off the Android apps in Windows 11 feature.
New Bifrost malware for Linux mimics VMware domain for evasion.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 13 Mar 2024 18:15:36 +0000