New Android Banking Trojan Targeting Brazilian Financial Institutions

A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform.

Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate.

“PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS (Automatic Transfer System), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks,” researchers Francesco Iubatti and Alessandro Strino said.

It is also the latest addition in a long list of Android banking malware to abuse the operating system’s accessibility services API to carry out its nefarious functions, including disabling Google Play Protect, intercepting SMS messages, preventing uninstallation, and serving rogue ads via push notifications.

Besides stealing passwords entered by users on banking apps, the threat actors behind the operation have leveraged code obfuscation and encryption using a framework known as Auto.js to resist reverse engineering efforts.

The dropper apps used to deliver PixPirate come under the garb of authenticator apps. There are no indications that the apps were published to the official Google Play Store.

The findings come more than a month after ThreatFabric disclosed details of another malware called BrasDex that also comes with ATS capabilities, in addition to abusing PIX to make fraudulent fund transfers.

“The introduction of ATS capabilities paired with frameworks that will help the development of mobile applications, using flexible and more widespread languages (lowering the learning curve and development time), could lead to more sophisticated malware that, in the future, could be compared with their workstation counterparts,” the researchers said.

The development also comes as Cyble shed light on a new Android remote access trojan codenamed Gigabud RAT targeting users in Thailand, Peru, and the Philippines since at least July 2022 by masquerading as bank and government apps.

“The RAT has advanced features such as screen recording and abusing the accessibility services to steal banking credentials,” the researchers said, noting its use of phishing sites as a distribution vector.

The cybersecurity firm further revealed that the threat actors behind the InTheBox darknet marketplace are advertising a catalog of 1,894 web injects that are compatible with various Android banking malware such as Alien, Cerberus, ERMAC, Hydra, and Octo.

The web inject modules, mainly used for harvesting credentials and sensitive data, are designed to single out banking, mobile payment services, cryptocurrency exchanges, and mobile e-commerce applications spanning Asia, Europe, Middle East, and the Americas.

But in a more concerning twist, fraudulent apps have found a way to bypass defenses in Apple App Store and Google Play to perpetrate what’s called a pig butchering scam called CryptoRom.

The technique entails employing social engineering methods such as approaching victims through dating apps like Tinder to entice them into downloading fraudulent investment apps with the goal of stealing their money.

The malicious iOS apps in question are Ace Pro and MBM_BitScan, both of which have since been removed by Apple. An Android version of MBM_BitScan has also been taken down by Google.

Cybersecurity firm Sophos, which made the discovery, said the iOS apps featured a “review evasion technique” that enabled the malware authors to get past the vetting process.

“Both the apps we found used remote content to provide their malicious functionality — content that was likely concealed until after the App Store review was complete,” Sophos researcher Jagadeesh Chandraiah said.

Pig butchering scams had their beginnings in China and Taiwan, and has since expanded globally in recent years, with a huge chunk of operations carried out from special economic zones in Laos, Myanmar, and Cambodia.

In November 2022, the U.S. Department of Justice (DoJ) announced the takedown of seven domain names in connection to a pig butchering cryptocurrency scam that netted the criminal actors over $10 million from five victims.