Malware Stealing Banking Passwords

With the introduction of Pix, an instant payment platform developed and managed by the monetary authority of Brazil, the Central Bank of Brazil (BCB), which enables the quick execution of payments and transfers.

It currently counts over 100 million registered accounts; the adoption of instant payments has been rapidly increasing in Europe, America, and, more recently, also in Brazil.

One such threat that has just been spotted in the wild is a new strain of mobile malware that targets Brazil and other LATAM nations. This malware’s main objectives are to steal sensitive data and commit fraud against users of the Pix platform who frequently use it.

The malware known as “PixPirate,” which Cleafy discovered between the end of 2022 and the beginning of 2023, is the most recent generation of Android banking trojans that can use the ATS (Automatic Transfer System).

It allows attackers to automatically insert a malicious money transfer over the Instant Payment platform Pix, which is used by many Brazilian banks.

Working on the PixPirate Malware

PixPirate portrays itself to victims as a trusted application while actually serving harmful ends behind well-known names and icons.

By the end of 2022, researchers discovered the following fake samples being delivered by TAs, which appear to be well consolidated:

Figure 1 - Main names/icons used by PixPirate
Main names/icons used by PixPirate

“PixPirate is usually delivered using a dropper application, used to download (or in some cases just to unpack) and install the banking Trojan”, Cleafy reports

“During its installation, PixPirate immediately tries to enable Accessibility Services that keep being requested persistently with fake pop-ups until the victim accepts.”

Since they offer features to communicate with other apps, banking trojans frequently take advantage of the accessibility services. After receiving permission from the victim, PixPirate will activate all of its harmful features.

Notably, the android banking malware takes advantage of the accessibility services API to perform its malicious tasks, which include disabling Google Play Protect, intercepting SMS messages, preventing uninstallation, and delivering fake advertisements via push notifications.

Stealing Banking Passwords from Browsers

The malware steals user-entered passwords from banking apps, researchers say the threat actors behind the operation have used code obfuscation and encryption utilizing the Auto.js framework to thwart attempts at reverse engineering.

Using one of PixPirate’s JavaScript modules and the well-known Android accessibility features, the banking password is stolen. Each targeted bank has a unique function inside of this module because every banking application has a different layout.

PixPirate can distinguish the various UI elements of the bank’s activity and the password element displayed on the screen through Accessibility Services. It takes the user’s password if it notices any changes to the password input text.

Figure 6 - Example of a portion of code used to steal the password of the targeted bank
Example of a portion of code used to steal the password of the targeted bank

Additional Features of PixPirate Malware

Additionally, PixPirate includes a script that may be used to delete SMS messages that include particular text. 

The malware is capable of long-clicking, selecting the delete button, and completing the deletion when the default SMS app is active in the foreground.

“Among the main countermeasures adopted by PixPirate to slow down the analysis are code obfuscation and encryption, other than classic functionalities that try to avoid application removal at runtime”, explain Cleafy researchers.

Threat actors incorporated certificate pinning, a popular method for protecting communications from man-in-the-middle attacks.

PixPirate has also been seen to attack the Pix instant payment system, which is used by numerous Brazilian institutions.

As a result, researchers say it is not possible to rule out that in the near future, there will be even more threats that will follow the PixPirate instance, targeting other LATAM countries or even shifting their attention to other regions, despite the fact that PixPirate appears to still be in the early stages of development.

Network Security Checklist – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.