Financial institutions in Brazil, already known for facing the highest number of cyberattacks and internet-based frauds, are witnessing another threat from emerging banking malware. Dubbed PixPirate, the malware is said to be the newest generation of Android banking trojans due to its advanced attack capabilities.
The PixPirate campaign
Cleafy Researchers have been tracking the new Android malware since the end of 2022 and specifically target Brazilian banking firms.
The malware is delivered under the pretense of fake authenticator apps, possibly via third-party app stores. It uses fake names, such as Key Authenticator / Updated Key Authenticator, and icons to lure victims into downloading the apps.
Upon installation, it asks for permissions for Accessibility Services, which are then used for further malicious activities such as intercepting and deleting SMS, intercepting banking credentials, and disabling Google Play Protect.
Furthermore, it performs Automatic Transfer System (ATS) attacks on banks via PIX transactions, which is a popular payment method supported and used by several banks in Brazil.
Evading detection
Besides password-stealing capabilities, PixPirate’s developers have used several tactics to equip the malware with anti-detection capabilities.
Its code is based on Auto.js, an automation platform used for developing Android applications, with an on-device JavaScript interpreter, complicating reverse engineering efforts.
It allows the automation of tasks such as simulating touch-based interactions, entering text, and scrolling across lists, all wrapped under a heavy layer of code obfuscation.
In addition, the developers use evasion techniques such as control flow flattering, and string array encoding, along with garbage functions and variable names.
What more
PixPirate uses HTTP for its C2 server communications, while for data transfer and exchange, it uses JSON format.
The developer further leverages the certificate pinning technique to protect its communications from man-in-the-middle attacks.
Ending notes
Advanced capabilities such as ATS and choice of platform (Auto.js) indicate that the malware developers are technically well-versed. Looking at the ever-expanding market of Android users, experts believe that such threats could be used to target other LATAM countries and other regions worldwide.