The constantly mutating PixPirate malware has taken that strategy to a new extreme.
PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques.
Within IBM Trusteer, we saw several different techniques to hide malware from its victims.
Most banking malware conceals its existence on the mobile device by hiding its launcher icon from the victim using the SetComponentEnabeldSetting application programming interface.
To address this new challenge, PixPirate introduced a new technique to hide its icon that we have never seen financial malware use before.
Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background.
If two-factor authentication is needed to complete the fraudulent transaction, the malware can also access, edit and delete the victim's SMS messages, including any messages the bank sends.
Most financial malware comprises one main Android Package file.
This is not the case for PixPirate, which is built of two components: a downloader APK and the droppee APK. The use of a downloader app as part of a financial attack is not new; however, unlike most financial malware today that uses a downloader as a service, both the droppee and the downloader for PixPirate were created by the same actor.
The PixPirate downloader role in the infection flow of the malware is different from other financial malware.
Once the victim launches the downloader, it asks the victim to install an updated version of itself, which is the actual PixPirate malware.
After the malware gets all the necessary permissions it needs to run, it collects some information and data regarding the infected device to decide if this is a legitimate device and a good candidate for fraud and then sends all this data to the PixPirate C2. FakeChat manifest the malware's app tag and the path of the app icon in the icon value.
PixPirate malware is the first financial malware observed by IBM Trusteer researchers that uses this technique to hide itself and its launcher icon so that victims won't notice that malware is installed and running on the device.
The malware monitors the victim's activities on the device and waits for the user to launch a targeted banking application.
The victim is not aware that the malware is stealing credentials as everything seems legitimate, as the malware hides itself and operates in the background.
Once on the Pix transfer/payment page, the malware executes the Pix money transfer.
In the following image, we can see the different functions the malware calls to enter the relevant details and execute the money transfer.
If 2FA is needed as part of the banking flow, the malware can also intercept SMS messages that the user receives from the bank.
PixPirate fraud occurs automatically, as this malware contains code for all the different activities that are required to complete Pix fraud - log in, enter Pix details, enter credentials, confirm and more.
With nuanced methods of staying hidden and the capacity for serious harm, PixPirate presents a troubling new threat on the malware playing field.
This Cyber News was published on securityintelligence.com. Publication date: Sun, 28 Jan 2024 11:13:06 +0000