PixStealer is an Android Banking Trojan that targets the Pix payment system and aims to empty the victim's fund. Pix is an instant payment solution launched in 2020 by the Central Bank of Brazil. Since then, the application has managed to accumulate 40 million transactions per day and a total of $4.7 billion worth of transfers in a week. It is no wonder that cybercriminals are now starting to target the application.
According to the findings of Check Point Research, the PixStealer threat was distributed by a fake PagBank Cashback service application. Its sole target was the Brazillian PagBank. The threatening application was available for download on the Google Play store.
The PixStealer threat exhibits a never-before-seen technique that allows it to collect the victim's money via Pix transactions. Another distinguishing characteristic of the threat is that it is extremely minimalistic. The threat actor has gone in the opposite direction of the recent trend among Android Banking Trojans getting more and more sophisticated. Instead, PixStealer lacks the functionality to perform any of the common banker functions, such as collecting credentials of targeted bank applications. It cannot communicate with a Command-and-Control (C&C, C2) server, either.
In practical terms, this means that PixStealer cannot receive instructions from the attackers, cannot be updated, and cannot upload any information from the device. However, this approach allows the threat to rely on minimum permissions and potentially remain hidden for far longer while pursuing its sole function - to transfer the victim's funds to an account controlled by the cybercriminals. It achieves this harmful goal by abusing the legitimate Android Accessibility Service.
The Accessibility Service was implemented to help people with various disabilities operate their phones far more comfortably. However, the hackers realized quickly that if their threatening creations were granted access to the service, they could abuse to perform numerous intrusive actions on the device. The most abused aspect of the Accessibility Service is its ability to intercept and monitor all activities taking place on the device's screen.
When the fake application is started, it shows the victim a message box that asks for Accessibility Service permissions under the pretense of 'cashback' functionality. Next, it prompts the victim to open the PagBank application for supposed synchronization. With the permissions it has received, the threat can easily open the application itself but letting the users do it themselves is less suspicious.
Once victims have opened the application and entered their credentials, the threat abuses the Accessibility Service to simulate a tap on the 'Show' button and retrieve the current balance of the account. PixStealer displays a fake overlay and asks the user to wait for the non-existent 'synchronization' to finish. However, in the background, the threat is siphoning the funds and transferring them to the attacker's account.