PixPirate Banking Trojan
In February 2024, cybersecurity researchers brought to light the existence of a previously unknown Android malware tracked as PixPirate. This threat has been deployed in targeted attacks against banks in Latin America. Presently, experts caution that an updated iteration of the PixPirate Banking Trojan has surfaced, featuring a new stealth technique enabling it to persist on devices even after its dropper application has been removed.
Table of Contents
PixPirate Utilizes Two Different Applications to Collect Banking Info from Victims’ Android Phones
Researchers have noted a significant departure from the conventional strategy employed by malware, particularly with PixPirate. Unlike typical malware that endeavors to conceal its icon, a tactic possible on Android versions up to 9, PixPirate instead doesn't use a launcher icon altogether. This unique approach enables the malware to remain hidden on recent Android systems, extending up to version 14. However, the absence of an icon presents another challenge: providing no means for victims to initiate the malware. To circumvent this issue, PixPirate employs two distinct applications that work in tandem to harvest sensitive data from the infected devices.
The initial application, referred to as the 'downloader,' is spread as APKs (Android Package Files) and distributed via phishing messages on platforms like WhatsApp or SMS. Upon installation, this downloader application requests access to high-risk permissions, including Accessibility Services. Subsequently, it proceeds to fetch and install the second application, dubbed 'droppee,' which is the encrypted PixPirate banking malware.
The 'droppee' application abstains from declaring a primary activity with 'android.intent.action.MAIN' and 'android.intent.category.LAUNCHER' in its manifest, thereby ensuring the absence of an icon on the home screen, rendering it entirely inconspicuous. Instead, the droppee application exports a service that other applications can access. The downloader establishes a connection to this service to initiate the launch of the PixPirate malware as required.
Various Triggers Can Start the Execution of the PixPirate Banking Trojan
In addition to the dropper application's capability to initiate and control the malware, PixPirate can also be triggered by various system events, such as device booting or changes in connectivity, which it actively monitors. This enables PixPirate to operate surreptitiously in the background of the victim's device.
The droppee component of PixPirate features a service named 'com.companian.date.sepherd,' which is exported and equipped with an intent filter utilizing the custom action 'com.ticket.stage.Service.' When the downloader intends to activate the droppee, it establishes a connection with this service by utilizing the 'BindService' API along with the 'BIND_AUTO_CREATE' flag. This action results in the creation and execution of the droppee service.
Following the creation and binding process of the droppee service, the droppee APK is launched and begins its operations. At this point, even if the victim removes the downloader application from the device, PixPirate can continue to maintain its operation, triggered by various device events, while effectively concealing its presence from the user.
PixPirate Targets the Pix Payment Platform Specifically
The malware specifically targets the Pix instant payment platform in Brazil, aiming to siphon funds to attackers by intercepting or initiating fraudulent transactions. Pix has gained significant popularity in Brazil, with over 140 million users conducting transactions exceeding $250 billion as of March 2023.
PixPirate leverages Remote Access Trojan (RAT) capabilities to automate the entire fraudulent process, from capturing user credentials and two-factor authentication codes to executing unauthorized Pix money transfers, all stealthily without user awareness. However, achieving these tasks requires obtaining Accessibility Service permissions.
Additionally, PixPirate incorporates a fallback manual control mechanism for instances where automated methods fail, providing attackers with an alternative means to carry out on-device fraud. Researchers also highlight the malware's utilization of push notification malvertising and its ability to disable Google Play Protect, a fundamental security feature of the Android platform.
While the method of infection employed by PixPirate is not groundbreaking and can be mitigated by refraining from downloading unauthorized APKs, its adoption of strategies such as the absence of an icon and the registration of services bound to system events represents a concerning and novel approach.
