PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions

A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate. "PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS, enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks," researchers Francesco Iubatti and Alessandro Strino said. It is also the latest addition in a long list of Android banking malware to abuse the operating system's accessibility services API to carry out its nefarious functions, including disabling Google Play Protect, intercepting SMS messages, preventing uninstallation, and serving rogue ads via push notifications. Besides stealing passwords entered by users on banking apps, the threat actors behind the operation have leveraged code obfuscation and encryption using a framework known as Auto.js to resist reverse engineering efforts. The dropper apps used to deliver PixPirate come under the garb of authenticator apps. There are no indications that the apps were published to the official Google Play Store. The findings come more than a month after ThreatFabric disclosed details of another malware called BrasDex that also comes with ATS capabilities, in addition to abusing PIX to make fraudulent fund transfers. "The introduction of ATS capabilities paired with frameworks that will help the development of mobile applications, using flexible and more widespread languages, could lead to more sophisticated malware that, in the future, could be compared with their workstation counterparts," the researchers said. The development also comes as Cyble shed light on a new Android remote access trojan codenamed Gigabud RAT targeting users in Thailand, Peru, and the Philippines since at least July 2022 by masquerading as bank and government apps. "The RAT has advanced features such as screen recording and abusing the accessibility services to steal banking credentials," the researchers said, noting its use of phishing sites as a distribution vector. The cybersecurity firm further revealed that the threat actors behind the InTheBox darknet marketplace are advertising a catalog of 1,894 web injects that are compatible with various Android banking malware such as Alien, Cerberus, ERMAC, Hydra, and Octo. The web inject modules, mainly used for harvesting credentials and sensitive data, are designed to single out banking, mobile payment services, cryptocurrency exchanges, and mobile e-commerce applications spanning Asia, Europe, Middle East, and the Americas. In a more concerning twist, fraudulent apps have found a way to bypass defenses in Apple App Store and Google Play to perpetrate what's called a pig butchering scam called CryptoRom. The technique entails employing social engineering methods such as approaching victims through dating apps like Tinder to entice them into downloading fraudulent investment apps with the goal of stealing their money. The malicious iOS apps in question are Ace Pro and MBM BitScan, both of which have since been removed by Apple. An Android version of MBM BitScan has also been taken down by Google. Cybersecurity firm Sophos, which made the discovery, said the iOS apps featured a "Review evasion technique" that enabled the malware authors to get past the vetting process. "Both the apps we found used remote content to provide their malicious functionality - content that was likely concealed until after the App Store review was complete," Sophos researcher Jagadeesh Chandraiah said. Pig butchering scams had their beginnings in China and Taiwan, and has since expanded globally in recent years, with a huge chunk of operations carried out from special economic zones in Laos, Myanmar, and Cambodia. In November 2022, the U.S. Department of Justice announced the takedown of seven domain names in connection to a pig butchering cryptocurrency scam that netted the criminal actors over $10 million from five victims.

This Cyber News was published on thehackernews.com. Publication date: Mon, 06 Feb 2023 08:24:03 +0000


Cyber News related to PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions

PixPirate: The Brazilian financial malware you can't see, part one - The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques. Within IBM Trusteer, we saw several different ...
10 months ago Securityintelligence.com
PixPirate Android malware uses new tactic to hide on phones - The latest version of the PixPirate banking trojan for Android employs a new method to hide on phones while remaining active, even if its dropper app has been removed. PixPirate is a new Android malware first documented by the Cleafy TIR team last ...
9 months ago Bleepingcomputer.com
PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions - A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of ...
1 year ago Thehackernews.com
Ten new Android banking trojans targeted 985 bank apps in 2023 - This year has seen the emergence of ten new Android banking malware families, which collectively target 985 bank and fintech/trading apps from financial institutes across 61 countries. Banking trojans are malware that targets people's online bank ...
1 year ago Bleepingcomputer.com
Digital Transformation in the Financial Industry: The Role of Fintech - Fintech companies are providing innovative solutions to help customers save money and manage risk more effectively than ever before; they're also fueling innovation within traditional banks themselves by creating new products based on customer ...
1 year ago Hackread.com
Data Protection in Educational Institutions - This article delves into the significance of data protection in educational institutions, emphasizing three key areas: the types of educational data, data privacy regulations, and data protection measures. Lastly, robust data protection measures are ...
1 year ago Securityzap.com
Hackers Using PixPirate Malware to Obtain Banking Credentials - Pix is an online payment platform created and managed by the Central Bank of Brazil, which allows users to make quick payments and transfers with over 100 million registered accounts worldwide. Recently, a new type of mobile malware has been ...
1 year ago Heimdalsecurity.com
29 malware families target 1,800 banking apps worldwide - Mobile banking is outpacing online banking across all age groups due to its convenience and our desire to have those apps at our fingertips, according to Zimperium. This surge is accompanied by a dramatic growth in financial fraud. The research ...
11 months ago Helpnetsecurity.com
Thwarting Common Vulnerabilities: Financial Sector - DZone - By providing that kind of training alongside things like incentives for security champions and privilege-based initiatives where only the best, most security-aware developers who have completed their training are allowed to work with critical assets, ...
2 months ago Feeds.dzone.com
'Coyote' Malware Begins Its Hunt, Preying on 61 Banking Apps - In all, it represents a notable evolution in Brazil's thriving market for financial malware - and could spell big trouble down the line for security teams if it expands its focus. It may be a Brazil-focused threat to consumers for now, but as ...
10 months ago Darkreading.com
Android malware and unwanted software statistics for Q1 2024 - Over 389,000 malicious installation packages were detected, of which: 11,729 packages were related to mobile banking Trojans, 1,990 packages were mobile ransomware Trojans. The rapid growth in the total number of attacks between Q2 and Q4 2023 is ...
6 months ago Securelist.com
A Comprehensive Look at the Financial Firms in European Union and Their Rules on Cloud-Based Services - Today's technology has opened up a world of possibilities for financial firms, especially with cloud-based services. Financial institutions are now able to access a great deal of information over the internet in an efficient and timely manner. ...
1 year ago Tripwire.com
Bank of America's Security Response: Mitigating Risks After Vendor Data Breach - In a concerning development, Bank of America has informed its customers about a possible data breach stemming from a security incident involving one of its vendors. This incident raises questions about the security of sensitive customer information, ...
10 months ago Cysecurity.news
Beware, iPhone Users: iOS GoldDigger Trojan can Steal Face ID and Banking Details - Numerous people pick iPhones over Android phones because they believe iPhones are more secure. This may no longer be the case due to the emergence of a new banking trojan designed explicitly to target iPhone users. According to a detailed report by ...
10 months ago Cysecurity.news
Deluge of Nearly 300 Fake Apps Floods Iranian Banking Sector - A mammoth campaign targeting Iran's banking sector has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards, and crypto wallets. Four months ago, researchers from ...
1 year ago Darkreading.com
Banking malware Grandoreiro returns after police disruption - In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank announced the disruption of the malware operation, which had been targeting Spanish-speaking countries since 2017 and caused $120 ...
7 months ago Bleepingcomputer.com
Unravelling Retirement Banking Scams and How To Protect Yourself - In the labyrinth of financial scams, one of the most insidious is the retirement banking scam. According to the FBI, in 2020 alone, financial scams targeting seniors netted more than $1 billion. It's a quiet crisis that we need to address, and ...
11 months ago Hackread.com
First Ever iOS Trojan Steals Facial Recognition Data - A novel, very sophisticated mobile Trojan dubbed GoldPickaxe. iOS that targets iOS users exclusively was discovered to collect facial recognition data, intercept SMS, and gather identity documents. The Asia-Pacific region includes the majority of ...
10 months ago Gbhackers.com
Pirated Software Puts Mac Users at Risk as Proxy Malware Emerges - Malware is being targeted at Mac users who receive pirated versions of popular apps from warez websites after they choose to download them from those websites. Various reports state that cybercriminals are infecting macOS devices with proxy trojans ...
1 year ago Cysecurity.news
Chameleon Android Trojan Offers Biometric Bypass - A new variant of an Android banking Trojan has appeared that can bypass biometric security to break into devices, demonstrating an evolution in the malware that attackers now are wielding against a wider range of victims. Spread through phishing ...
1 year ago Darkreading.com
New Grandoreiro Malware Variant Targets Spain - Cybersecurity experts at Proofpoint have identified a new variant of the Grandoreiro malware, previously known for targeting victims in Brazil and Mexico. This latest version of Grandoreiro, attributed to the threat actor TA2725, has expanded its ...
1 year ago Infosecurity-magazine.com
Android malware Grandoreiro returns after police disruption - In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank announced the disruption of the malware operation, which had been targeting Spanish-speaking countries since 2017 and caused $120 ...
7 months ago Bleepingcomputer.com
Chameleon Android Malware Can Bypass Biometric Security - A new variant of the Chameleon Android banking trojan features new bypass capabilities and has expanded its targeting area, online fraud detection firm ThreatFabric reports. Active since early 2023, the malware initially targeted mobile banking ...
11 months ago Securityweek.com
FjordPhantom Android malware uses virtualization to evade detection - A new Android malware named FjordPhantom has been discovered using virtualization to run malicious code in a container and evade detection. The malware was discovered by Promon, whose analysts report that it currently spreads via emails, SMS, and ...
1 year ago Bleepingcomputer.com
New Web injections campaign steals banking data from 50,000 people - A new malware campaign that emerged in March 2023 used JavaScript web injections to try to steal the banking data of over 50,000 users of 40 banks in North America, South America, Europe, and Japan. IBM's security team discovered this evasive threat ...
1 year ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)