The threat actors behind the PixPirate Android banking Trojan are using a new trick to evade detection of infected devices and obtain sensitive information from Brazilian users.
IBM said in a technical report released today that this method can hide the icon of the malicious application on the home screen of the victim’s device.
Security researcher Nir Somech said: “With this new technology, during the PixPirate reconnaissance and attack phases, victims remain unaware of the malicious actions performed by the malware in the background.”
PixPirate, first documented by Cleafy in February 2023, is known for abusing Android accessibility services to secretly perform unauthorized funds transfers using the PIX instant payment platform when a target banking app is opened.
The ever-mutating malware is also capable of stealing victims’ online banking credentials and credit card information, as well as capturing keystrokes and intercepting text messages to access two-factor authentication codes.
The attack flow is typically distributed via SMS and WhatsApp and requires the use of a Dropper (also known as a downloader) application, which is designed to deploy a primary payload (also known as a droppee) to carry out financial fraud.
“Normally, the downloader is used to download and install droppee. From this point on, droppee is the main player in all fraud operations and the downloader is irrelevant,” Somech explained.
“In the case of PixPirate, the downloader is not only responsible for downloading and installing droppee, but also running and executing it. Downloaders play an active role in droppee’s malicious activity because they communicate with each other and execute.”
Once launched, the Downloader APK application prompts the victim to update the application to retrieve the PixPirate component from an attacker-controlled server, or to install it if it is embedded within itself.
Changes in the latest version of droppee are the lack of the “android.intent.action.Main” action and the “android.intent.category.LAUNCHER” category activity that allows users to launch an application from the home screen by clicking on its icon.
In other words, the infection chain requires the downloader and droppee to work together, with the former responsible for running the PixPirate APK through a service bound to the droppee export.
“Later, to maintain persistence, droppee will also be triggered to run by different receivers it is registered with,” Somech said. “Receivers are set up to activate based on different events that occur in the system, not necessarily by the initial trigger of droppee. Run the downloader to activate.”
“This technique allows the PixPirate droppee to run and hide its presence even if the victim deletes the PixPirate downloader from the device.”
This development comes as Latin American (LATAM) banks are targeted by new malware called Fakext, which exploits a rogue Microsoft Edge extension called SATiD to perform browser-in-the-middle and web injection attacks in order to obtain input The credentials are on the target bank website.
It is worth noting that SAT ID is a service provided by the Mexican Tax Administration (SAT) for generating and updating electronic signatures for online tax returns.
In some cases, Fakext displays an overlay that urges victims to download legitimate remote access tools by claiming to be the bank’s IT support team, ultimately enabling the threat actor to conduct financial fraud.
The campaign, which has been running since at least November 2023, highlights 14 banks operating in the region, most of which are in Mexico. This extension is available from the Edge Add-ons store.
